<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Chapter 8. Files and directories</title>
<link rel="stylesheet" type="text/css" href="default.css">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="index.html" title="Fonaments de Slackware Linux">
<link rel="up" href="basics.html" title="Part II. Conceptes fonamentals de Slackware Linux">
<link rel="prev" href="chap-shell.html" title="Chapter 7. El shell">
<link rel="next" href="chap-textproc.html" title="Chapter 9. Text processing">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center">Chapter 8. Files and directories</th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="chap-shell.html">Prev</a> </td>
<th width="60%" align="center">Part II. Conceptes fonamentals de Slackware Linux</th>
<td width="20%" align="right"> <a accesskey="n" href="chap-textproc.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div lang="en" class="chapter">
<div class="titlepage"><div><div><h2 class="title">
<a name="chap-filesystem"></a>Chapter 8. Files and directories</h2></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="sect1"><a href="chap-filesystem.html#chap-filesystem-introduction">8.1. Some theory</a></span></dt>
<dt><span class="sect1"><a href="chap-filesystem.html#chap-filesystems-analyzing">8.2. Analyzing files</a></span></dt>
<dt><span class="sect1"><a href="chap-filesystem.html#chap-filesystem-directories">8.3. Working with directories</a></span></dt>
<dt><span class="sect1"><a href="chap-filesystem.html#chap-filesystem-managing">8.4. Managing files and directories</a></span></dt>
<dt><span class="sect1"><a href="chap-filesystem.html#chap-filesystem-permissions">8.5. Permissions</a></span></dt>
<dt><span class="sect1"><a href="chap-filesystem.html#chap-filesystem-finding">8.6. Finding files</a></span></dt>
<dt><span class="sect1"><a href="chap-filesystem.html#basics-filesystem-archives">8.7. Archives</a></span></dt>
<dt><span class="sect1"><a href="chap-filesystem.html#basics-filesystem-mounting">8.8. Mounting filesystems</a></span></dt>
<dt><span class="sect1"><a href="chap-filesystem.html#basics-filesystem-gnupg">8.9. Encrypting and signing files</a></span></dt>
</dl>
</div>
  

  <div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="chap-filesystem-introduction"></a>8.1. Some theory</h2></div></div></div>
    

    <p>
      Before we move on to look at practical filesystem operations, we
      are going to look at a more theoretical overview of how
      filesystems on UNIX-like systems work. Slackware Linux supports
      many different filesystems, but all these filesystems use
      virtually the same semantics. These semantics are provided
      through the <span class="emphasis"><em>Virtual Filesystem</em></span> (VFS)
      layer, giving a generic layer for disk and network filesystems.
    </p>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-introduction-atoms"></a>8.1.1. inodes, directories and data</h3></div></div></div>
      

      <p>
	The filesystem consists of two types of elements: data and
	metadata. The metadata describes the actual data blocks that
	are on the disk. Most filesystems use information nodes
	(inodes) to store metadata. Most filesystems store the
	following data in their inodes:
      </p>

      <div class="table">
<a name="chap-filesystem-introduction-atoms-inodes"></a><p class="title"><b>Table 8.1. Common inode fields</b></p>
<div class="table-contents">
        
        <table summary="Common inode fields" border="1">
<colgroup>
<col>
<col>
</colgroup>
<thead><tr>
<th>Field</th>
<th>Description</th>
</tr></thead>
<tbody>
<tr>
<td>mode</td>
<td>The file permissions.</td>
</tr>
<tr>
<td>uid</td>
<td>The user ID of the owner of the file.</td>
</tr>
<tr>
<td>gid</td>
<td>The group ID of the group of the file.</td>
</tr>
<tr>
<td>size</td>
<td>Size of the file in bytes.</td>
</tr>
<tr>
<td>ctime</td>
<td>File creation time.</td>
</tr>
<tr>
<td>mtime</td>
<td>Time of the last file modification.</td>
</tr>
<tr>
<td>links_count</td>
<td>The number of links pointing to this inode.</td>
</tr>
<tr>
<td>i_block</td>
<td>Pointers to data blocks</td>
</tr>
</tbody>
</table>
      </div>
</div>
<br class="table-break">

      <p>
	If you are not a UNIX or Linux afficiendo, these names will
	probably sound bogus to you, but we will clear them up in the
	following sections. At any rate, you can probably deduct the
	relation between inodes and data from this table, and
	specifically the <span class="emphasis"><em>i_block</em></span> field: every
	inode has pointers to the data blocks that the inode provides
	information for. Together, the inode and data blocks are the
	actual file on the filesystem.
      </p>

      <p>
	You may wonder by now where the names of files (and
	directories) reside, since there is no file name field in the
	inode. Actually, the names of the files are separated from the
	inode and data blocks, which allows you to do groovy stuff,
	like giving the same file more than one name. The filenames
	are stored in so-called directory entries. These entries
	specify a filename and the inode of the file. Since
	directories are also represented by inodes, a directory
	structure can also be constructed in this manner.
      </p>

      <p>
	We can simply show how this all works by illustrating what the
	kernel does when we execute the command <span class="command"><strong>cat
	/home/daniel/note.txt</strong></span>
      </p>

      <div class="orderedlist"><ol class="orderedlist" type="1">
<li class="listitem">
	  <p>
	    The system reads the inode of the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/</code></html:span>
	    directory, checks if the user is allowed to access this
	    inode, and reads the data block to find the inode number
	    of the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">home</code></html:span> directory.
	  </p>
        </li>
<li class="listitem">
          <p>
	    The system reads the inode of the
	    <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">home</code></html:span> directory, checks if the user is
	    allowed to access this inode, and reads the data block to
	    find the inode number of the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">daniel</code></html:span>
	    directory. </p>
        </li>
<li class="listitem">
          <p>
	    The system reads the inode of the
	    <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">daniel</code></html:span> directory, checks if the user is
	    allowed to access this inode, and reads the data block to
	    find the inode number of the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">note.txt</code></html:span>
	    file.
	  </p>
        </li>
<li class="listitem">
          <p>
	    The system reads the inode of the
	    <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">note.txt</code></html:span> file, checks if the user
	    is allowed to access this inode, and returns the data
	    blocks to <span class="command"><strong>cat</strong></span> through the
	    <span class="emphasis"><em>read()</em></span> system call. </p>
        </li>
</ol></div>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-introduction-permissions"></a>8.1.2. File permissions</h3></div></div></div>
      

      <p>
	As we have described earlier, Linux is a multi-user
	system. This means that each user has his/her own files (that
	are usually located in the home directory). Besides that users
	can be members of a group, which may give the user additional
	privileges.
      </p>

      <p>
	As you have seen in the inode field table, every file has a
	owner and a group.  Traditional UNIX access control gives
	read, write, or executable permissions to the file owner, file
	group, and other users. These permissions are stored in the
	<span class="emphasis"><em>mode</em></span> field of the inode. The mode field
	represents the file permissions as a four digit octal
	number. The first digit represents some special
	options, the second digit stores the owner permissions, the
	third the group permissions, and the fourth the permissions
	for other users. The permissions are established by digit by
	using or adding one of the number in <a class="xref" href="chap-filesystem.html#chap-filesystem-permissions-numbers" title="Table 8.2. Meaning of numbers in the mode octet">Table 8.2, “Meaning of numbers in the mode octet”</a>
      </p>

      <div class="table">
<a name="chap-filesystem-permissions-numbers"></a><p class="title"><b>Table 8.2. Meaning of numbers in the mode octet</b></p>
<div class="table-contents">
        
        <table summary="Meaning of numbers in the mode octet" border="1">
<colgroup>
<col>
<col>
</colgroup>
<thead><tr>
<th>Number</th>
<th>Meaning</th>
</tr></thead>
<tbody>
<tr>
<td>1</td>
<td>Execute (x)</td>
</tr>
<tr>
<td>2</td>
<td>Write (w)</td>
</tr>
<tr>
<td>4</td>
<td>Read (r)</td>
</tr>
</tbody>
</table>
      </div>
</div>
<br class="table-break">

      <p>
	Now, suppose that a file has mode <span class="emphasis"><em>0644</em></span>,
	this means that the file is readable and writable by the owner
	(<span class="emphasis"><em>6</em></span>), and readable by the file group
	(<span class="emphasis"><em>4</em></span>) and others
	(<span class="emphasis"><em>4</em></span>). </p>

      <p>
	Most users do not want to deal with octal numbers, so that is
	why many utilities can also deal with an alphabetic
	representation of file permissions. The letters that are
	listed in <a class="xref" href="chap-filesystem.html#chap-filesystem-permissions-numbers" title="Table 8.2. Meaning of numbers in the mode octet">Table 8.2, “Meaning of numbers in the mode octet”</a> between
	parentheses are used in this notation. In the following
	example information about a file with
	<span class="emphasis"><em>0644</em></span> permissions is printed. The numbers
	are replaced by three rwx triplets (the first character can
	list special mode options).
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>ls -l note.txt</code></strong>
-rw-r--r--  1 daniel daniel 5 Aug 28 19:39 note.txt
      </pre>

      <p>
	Over the years these traditional UNIX permissions have proven
	not to be sufficient in some cases. The POSIX 1003.1e
	specification aimed to extend the UNIX access control model
        with <span class="emphasis"><em>Access Control Lists</em></span> (ACLs).
	Unfortunately this effort stalled,
        though some systems (like GNU/Linux) have implemented ACLs<a href="#ftn.idm962816236" class="footnote" name="idm962816236"><sup class="footnote">[4]</sup></a>. Access control
        lists follow the same semantics as normal file permissions,
        but give you the opportunity to add <span class="emphasis"><em>rwx</em></span>
        triplets for additional users and groups. </p>

      <p>
	The following example shows the access control list of a
	file. As you can see, the permissions look like normal UNIX
	permissions (the access rights for the user, group, and others
	are specified). But there is also an additional entry for the
	user <span class="emphasis"><em>joe</em></span>.
      </p>

      <pre class="programlisting">
user::rwx
user:joe:r--
group::---
mask::r--
other::---
      </pre>

      <p>
	To make matters even more complex (and sophisticated), some
	GNU/Linux systems add more fine-grained access control through
	Mandatory Access Control Frameworks (MAC) like SELinux and
	AppArmor. But these access control frameworks are beyond the
	scope of this book.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystems-introduction-links"></a>8.1.3. Links</h3></div></div></div>
      

      <p>
	A directory entry that points to an inode is named a
	<span class="emphasis"><em>hard link</em></span>.  Most files are only linked
	once, but nothing holds you from linking a file twice. This
	will increase the <span class="emphasis"><em>links_count</em></span> field of
	the inode. This is a nice way for the system to see which
	inodes and data blocks are free to use. If links_count is set
	to zero, the inode is not referred to anymore, and can be
	reclaimed.
      </p>

      <div class="figure">
<a name="chap-filesystems-introduction-links-hardlink"></a><p class="title"><b>Figure 8.1. The structure of a hard link</b></p>
<div class="figure-contents">
        

        <div class="mediaobject"><img src="../../images/hardlink.png" alt="The structure of a hard link"></div>
      </div>
</div>
<br class="figure-break">

      <p>
	Hard links have two limitations. First of all, hard links can
	not interlink between file systems, since they point to
	inodes. Every filesystem has its own inodes and corresponding
	inode numbers. Besides that, most filesystems do not allow you
	to create hard links to directories. Allowing creation of hard
	links to directories could produce directory loops,
	potentially leading to deadlocks and filesystem
	inconsistencies. In addition to that, most implementations of
	<span class="command"><strong>rm</strong></span> and <span class="command"><strong>rmdir</strong></span> do not know
	how to deal with such extra directory hard links.
      </p>

      <p>
        <span class="emphasis"><em>Symbolic links</em></span> do not have these
        limitations, because they point to file names, rather than
        inodes. When the symbolic link is used, the operating system
        will follow the path to that link. Symbolic links can also
        refer to a file that does not exist, since it just contains a
        name. Such links are called dangling links.
      </p>

      <div class="figure">
<a name="chap-filesystems-introduction-links-symlink"></a><p class="title"><b>Figure 8.2. The structure of a symbolic link</b></p>
<div class="figure-contents">
        

        <div class="mediaobject"><img src="../../images/symlink.png" alt="The structure of a symbolic link"></div>
      </div>
</div>
<br class="figure-break">

      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="../images/note.png"></td>
<th align="left">Note</th>
</tr>
<tr><td align="left" valign="top">
        <p>
	  If you ever get into system administration, it is good to be
	  aware of the security implications of hard links. If the
	  <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/home</code></html:span> directory is on the same
	  filesystem as any system binaries, a user will be able to
	  create hard links to binaries.  In the case that a
	  vulnerable program is upgraded, the link in the user's home
	  directory will keep pointing to the old program binary,
	  effectively giving the user continuing access to a
	  vulnerable binary.
	</p>

        <p>
	  For this reason it is a good idea to put any directories
	  that users can write to on different filesystems. In
	  practice, this means that it is a good idea to put at least
	  <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/home</code></html:span> and <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/tmp</code></html:span> on
	  separate filesystems.
        </p>
      </td></tr>
</table></div>
    </div>
  </div>

  <div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="chap-filesystems-analyzing"></a>8.2. Analyzing files</h2></div></div></div>
    

    <p>
      Before going to some more adventurous venues, we will start
      with some file and directory usage basics.
    </p>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystems-analyzing-listing"></a>8.2.1. Listing files</h3></div></div></div>
      

      <p>
	One of the most common things that you will want to do is to
	list all or certain files. The <span class="command"><strong>ls</strong></span> command
	serves this purpose very well. Using <span class="command"><strong>ls</strong></span>
	without any arguments will show the contents of the actual
	directory:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>ls</code></strong>
dns.txt  network-hosts.txt  papers
      </pre>

      <p>
	If you use a GNU/Linux distribution, you may also see some
	fancy coloring based on the type of file. The standard output
	is handy to skim through the contents of a directory, but if
	you want more information, you can use the <em class="parameter"><code>-l</code></em> parameter. This provides a
	so-called long listing for each file:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>ls -l</code></strong>
total 36
-rw-rw-r--  1 daniel daniel 12235 Sep  4 15:56 dns.txt
-rw-rw-r--  1 daniel daniel  7295 Sep  4 15:56 network-hosts.txt
drwxrwxr-x  2 daniel daniel  4096 Sep  4 15:55 papers
      </pre>

      <p>
	This gives a lot more information about the three directory
	entries that we have found with <span class="command"><strong>ls</strong></span>.  The
	first column shows the file permissions. The line that shows
	the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">papers</code></html:span> entry starts with a
	<span class="quote">“<span class="quote">d</span>”</span>, meaning that this entry represents a
	directory. The second column shows the number of hard links
	pointing to the inode that a directory entry points to. If
	this is higher than 1, there is some other filename for the
	same file. Directory entries usually have at least two hard
	links, namely the link in the parent directory and the link in
	the directory itself (each directory has a
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">.</code></html:span> entry, which refers to the directory
	itself). The third and the fourth columns list the file owner
	and group respectively. The fifth column contains the file
	size in bytes. The sixth column the last modification time and
	date of the file. And finally, the last column shows the name
	of this entry.
      </p>

      <p>
	Files that start with a period (.) will not be shown by most
	applications, including <span class="command"><strong>ls</strong></span>. You can list
	these files too, by adding the <em class="parameter"><code>-a</code></em> option to
	<span class="command"><strong>ls</strong></span>:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>ls -la</code></strong>
total 60
drwxrwxr-x   3 daniel daniel  4096 Sep 11 10:01 .
drwx------  88 daniel daniel  4096 Sep 11 10:01 ..
-rw-rw-r--   1 daniel daniel 12235 Sep  4 15:56 dns.txt
-rw-rw-r--   1 daniel daniel  7295 Sep  4 15:56 network-hosts.txt
drwxrwxr-x   2 daniel daniel  4096 Sep  4 15:55 papers
-rw-rw-r--   1 daniel daniel     5 Sep 11 10:01 .settings
      </pre>

      <p>
	As you can see, three more entries have appeared. First of
	all, the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">.settings</code></html:span> file is now
	shown. Besides that you can see two additional directory
	entries, <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">.</code></html:span> and
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">..</code></html:span>. These represent the current directory
	and the parent directory respectively.
      </p>

      <p>
	Earlier in this chapter (<a class="xref" href="chap-filesystem.html#chap-filesystem-introduction-atoms" title="8.1.1. inodes, directories and data">Section 8.1.1, “inodes, directories and data”</a>) we talked
	about inodes. The inode number that a directory entry points
	to can be shown with the <em class="parameter"><code>-i</code></em> parameter. Suppose that I have
	created a hard link to the inode that points to the same inode
	as <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">dns.txt</code></html:span>, they should have the same
	inode number. The following <span class="command"><strong>ls</strong></span> output shows
	that this is true:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>ls -i dns*</code></strong>
3162388 dns-newhardlink.txt
3162388 dns.txt
      </pre>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-analyzing-file"></a>8.2.2. Determining the type of a file</h3></div></div></div>
      

      <p>
	Sometimes you will need some help to determine the type of a
	file. This is where the <span class="command"><strong>file</strong></span> utility
	becomes handy. Suppose that I find a file named
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">HelloWorld.class</code></html:span> somewhere on my disk. I
	suppose that this is a file that holds Java bytecode, but we
	can use <span class="command"><strong>file</strong></span> to check this:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>file HelloWorld.class</code></strong>
HelloWorld.class: compiled Java class data, version 49.0
      </pre>

      <p>
	That is definitely Java bytecode. <span class="command"><strong>file</strong></span> is
	quite smart, and handles most things you throw at it. For
	instance, you could ask it to provide information about a
	device node:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>file /dev/zero</code></strong>
/dev/zero: character special (1/5)
      </pre>

      <p>
	Or a symbolic link:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>file /usr/X11R6/bin/X</code></strong>
/usr/X11R6/bin/X: symbolic link to `Xorg'
      </pre>

      <p>
	If you are rather interested in the file
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/usr/X11R6/bin/X</code></html:span> links to, you can use
	the <em class="parameter"><code>-L</code></em> option of
	<span class="command"><strong>file</strong></span>:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>file -L /usr/X11R6/bin/X</code></strong>
/usr/X11R6/bin/X: setuid writable, executable, regular file, no read permission
      </pre>

      <p>
	You may wonder why <span class="command"><strong>file</strong></span> can determine the
	file type relatively easy. Most files start of with a
	so-called <span class="emphasis"><em>magic number</em></span>, this is a unique
	number that tells programs that can read the file what kind of
	file it is. The <span class="command"><strong>file</strong></span> program uses a file
	which describes many file types and their magic numbers.  For
	instance, the magic file on my system contains the following
	lines for Java compiled class files:
      </p>

      <pre class="programlisting">
# Java ByteCode
# From Larry Schwimmer (schwim@cs.stanford.edu)
0       belong          0xcafebabe      compiled Java class data,
&gt;6      beshort x       version %d.
&gt;4      beshort x       \b%d
      </pre>

      <p>
	This entry says that if a file starts with a long (32-bit)
	hexadecimal magic number <span class="emphasis"><em>0xcafebabe</em></span><a href="#ftn.idm962784100" class="footnote" name="idm962784100"><sup class="footnote">[5]</sup></a>, it is a file that holds
          <span class="quote">“<span class="quote">compiled Java class data</span>”</span>. The short that
          follows determines the class file format version.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-analyzing-integrity"></a>8.2.3. File integrity</h3></div></div></div>
      

      <p>
	While we will look at more advanced file integrity checking
	later,  we will have a short look at the
	<span class="command"><strong>cksum</strong></span> utility. <span class="command"><strong>cksum</strong></span> can
	calculate a cyclic redundancy check (CRC) for an input
	file. This is a mathematically sound method for calculating a
	unique number for a file. You can use this number to check
	whether a file is unchanged (for example, after downloading a
	file from a server). You can specify the file to calculate a
	CRC for as a parameter to <span class="command"><strong>cksum</strong></span>, and
	<span class="command"><strong>cksum</strong></span> will print the CRC, the file size in
	bytes, and the file name:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>cksum myfile</code></strong>
1817811752 22638 myfile
      </pre>

      <p>
	Slackware Linux also provides utilities for calculating
	checksums based on one-way hashes (for instance MD5 or SHA-1).
	
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-analyzing-viewing"></a>8.2.4. Viewing files</h3></div></div></div>
      

      <p>
	Since most files on UNIX systems are usually text files, they
	are easy to view from a character-based terminal or terminal
	emulator. The most primitive way of looking at the contents of
	a file is by using <span class="command"><strong>cat</strong></span>.
	<span class="command"><strong>cat</strong></span> reads files that were specified as a
	parameter line by line, and will write the lines to the
	standard output. So, you can write the contents of the file
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">note.txt</code></html:span> to the terminal with
	<span class="command"><strong>cat note.txt</strong></span>. While some systems and most
	terminal emulators provide support for scrolling, this is not
	a practical way to view large files. You can pipe the output
	of <span class="command"><strong>cat</strong></span> to the <span class="command"><strong>less</strong></span>
	paginator:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>cat note.txt | less</code></strong>
      </pre>

      <p>
	or let <span class="command"><strong>less</strong></span> read the file directly:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>less note.txt</code></strong>
      </pre>

      <p>
	The <span class="command"><strong>less</strong></span> paginator lets you scroll forward
	and backward through a file. <a class="xref" href="chap-filesystem.html#chap-filesystem-analyzing-viewing-less-keys" title="Table 8.3. less command keys">Table 8.3, “less command keys”</a>
	provides an overview of the most important keys that are used
	to control <span class="command"><strong>less</strong></span>
      </p>

      <div class="table">
<a name="chap-filesystem-analyzing-viewing-less-keys"></a><p class="title"><b>Table 8.3. less command keys</b></p>
<div class="table-contents">
        

        <table summary="less command keys" border="1">
<colgroup>
<col>
<col>
</colgroup>
<thead><tr>
<th>Key</th>
<th>Description</th>
</tr></thead>
<tbody>
<tr>
<td>j</td>
<td>Scroll forward one line.</td>
</tr>
<tr>
<td>k</td>
<td>Scroll backwards one line.</td>
</tr>
<tr>
<td>f</td>
<td>Scroll forward one screen full of text.</td>
</tr>
<tr>
<td>b</td>
<td>Scroll backwards one screen full of text.</td>
</tr>
<tr>
<td>q</td>
<td>Quit less.</td>
</tr>
<tr>
<td>g</td>
<td>Jump to the beginning of the file.</td>
</tr>
<tr>
<td>G</td>
<td>Jump to the end of the file.</td>
</tr>
<tr>
<td>/<span class="emphasis"><em>pattern</em></span>
</td>
<td> Search for the <a class="ulink" href="#chap-textproc-regexps" target="_top">regular expression</a>
                <span class="emphasis"><em>pattern</em></span>. </td>
</tr>
<tr>
<td>n</td>
<td> Search for the next match of the previously specified regular expression.
              </td>
</tr>
<tr>
<td>m<span class="emphasis"><em>letter</em></span>
</td>
<td> Mark the current position in the file with <span class="emphasis"><em>letter</em></span>.
              </td>
</tr>
<tr>
<td>'<span class="emphasis"><em>letter</em></span>
</td>
<td>Jump to the mark <span class="emphasis"><em>letter</em></span>
</td>
</tr>
</tbody>
</table>
      </div>
</div>
<br class="table-break">

      <p>
	The command keys that can be quantized can be prefixed by a
	number. For instance <span class="emphasis"><em>11j</em></span> scrolls forward
	eleven lines, and <span class="emphasis"><em>3n</em></span> searches the third
	match of the previously specified regular expression.
      </p>

      <p>
	Slackware Linux also provides an alternative to
	<span class="command"><strong>less</strong></span>, the older <span class="quote">“<span class="quote">more</span>”</span> command.
	We will not go into <span class="emphasis"><em>more</em></span> here,
	<span class="command"><strong>less</strong></span> is more comfortable, and also more popular
	these days.
      </p>

    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-analyzing-filesize"></a>8.2.5. File and directory sizes</h3></div></div></div>
      

      <p>
	The <span class="command"><strong>ls -l</strong></span> output that we have seen earlier
	provides information about the size of a file. While this
	usually provides enough information about the size of files,
	you might want to gather information about collections of
	files or directories. This is where the <span class="command"><strong>du</strong></span>
	command comes in. By default, <span class="command"><strong>du</strong></span> prints the
	file size per directory. For example:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>du ~/qconcord</code></strong>
72      /home/daniel/qconcord/src
24      /home/daniel/qconcord/ui
132     /home/daniel/qconcord
      </pre>

      <p>
        By default, <span class="command"><strong>du</strong></span> represents the size in 1024
        byte units. You can explicitly specify that
        <span class="command"><strong>du</strong></span> should use 1024 byte units by adding the
        <em class="parameter"><code>-k</code></em> flag. This is useful
	for writing scripts, because some other systems default to
	using 512-byte blocks. For example:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>du -k ~/qconcord</code></strong>
72	/home/daniel/qconcord/src
24	/home/daniel/qconcord/ui
132	/home/daniel/qconcord
      </pre>

      <p>
	If you would also like to see per-file disk usage, you can add
	the <em class="parameter"><code>-a</code></em> flag:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>du -k -a ~/qconcord</code></strong>
8       /home/daniel/qconcord/ChangeLog
8       /home/daniel/qconcord/src/concordanceform.h
8       /home/daniel/qconcord/src/textfile.cpp
12      /home/daniel/qconcord/src/concordancemainwindow.cpp
12      /home/daniel/qconcord/src/concordanceform.cpp
8       /home/daniel/qconcord/src/concordancemainwindow.h
8       /home/daniel/qconcord/src/main.cpp
8       /home/daniel/qconcord/src/textfile.h
72      /home/daniel/qconcord/src
12      /home/daniel/qconcord/Makefile
16      /home/daniel/qconcord/ui/concordanceformbase.ui
24      /home/daniel/qconcord/ui
8       /home/daniel/qconcord/qconcord.pro
132     /home/daniel/qconcord
      </pre>

      <p>
	You can also use the name of a file or a wildcard as a
	parameter. But this will not print the sizes of files in
	subdirectories, unless <em class="parameter"><code>-a</code></em> is used:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>du -k -a ~/qconcord/*</code></strong>
8       /home/daniel/qconcord/ChangeLog
12      /home/daniel/qconcord/Makefile
8       /home/daniel/qconcord/qconcord.pro
8       /home/daniel/qconcord/src/concordanceform.h
8       /home/daniel/qconcord/src/textfile.cpp
12      /home/daniel/qconcord/src/concordancemainwindow.cpp
12      /home/daniel/qconcord/src/concordanceform.cpp
8       /home/daniel/qconcord/src/concordancemainwindow.h
8       /home/daniel/qconcord/src/main.cpp
8       /home/daniel/qconcord/src/textfile.h
72      /home/daniel/qconcord/src
16      /home/daniel/qconcord/ui/concordanceformbase.ui
24      /home/daniel/qconcord/ui
      </pre>

      <p>
	If you want to see the total sum of the disk usage of the
	files and subdirectories that a directory holds, use the
	<em class="parameter"><code>-s</code></em> flag:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>du -k -s ~/qconcord</code></strong>
132     /home/daniel/qconcord
      </pre>
    </div>
  </div>

  <div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="chap-filesystem-directories"></a>8.3. Working with directories</h2></div></div></div>
    

    <p>
      After having a bird's eye view of directories in <a class="xref" href="chap-filesystem.html#chap-filesystem-introduction-atoms" title="8.1.1. inodes, directories and data">Section 8.1.1, “inodes, directories and data”</a>, we will have a
      look at some directory-related commands.
    </p>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-directories-listing"></a>8.3.1. Listing directories</h3></div></div></div>
      

      <p>
	The <span class="command"><strong>ls</strong></span> command that we have looked at in
	<a class="xref" href="chap-filesystem.html#chap-filesystems-analyzing-listing" title="8.2.1. Listing files">Section 8.2.1, “Listing files”</a> can also
	be used to list directories in various ways. As we have seen,
	the default <span class="command"><strong>ls</strong></span> output includes directories,
	and directories can be identified using the first output
	column of a long listing:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>ls -l</code></strong>
total 36
-rw-rw-r--  1 daniel daniel 12235 Sep  4 15:56 dns.txt
-rw-rw-r--  1 daniel daniel  7295 Sep  4 15:56 network-hosts.txt
drwxrwxr-x  2 daniel daniel  4096 Sep  4 15:55 papers
      </pre>

      <p>
	If a directory name, or if wildcards are specified,
	<span class="command"><strong>ls</strong></span> will list the contents of the directory,
	or the directories that match the wildcard respectively. For example,
	if there is a directory <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">papers</code></html:span>, <span class="command"><strong>ls
	paper*</strong></span> will list the contents of this directory
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">paper</code></html:span>. This is often annoying if you
	would just like to see the matches, and not the contents of
	the matching directories. The <em class="parameter"><code>-d</code></em> avoid that this recursion
	happens:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>ls -ld paper*</code></strong>
drwxrwxr-x  2 daniel daniel  4096 Sep  4 15:55 papers
      </pre>

      <p>
	You can also recursively list the contents of a directory, and
	its subdirectories with the <em class="parameter"><code>-R</code></em> parameter:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>ls -R</code></strong>
.:
dns.txt  network-hosts.txt  papers

./papers:
cs  phil

./papers/cs:
entr.pdf

./papers/phil:
logics.pdf
      </pre>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-directories-management"></a>8.3.2. Creating and removing directories</h3></div></div></div>
      

      <p>
	UNIX provides the <span class="command"><strong>mkdir</strong></span> command to create
	directories. If a relative path is specified, the directory is
	created in the current active directory. The basic syntax is
	very simple: <span class="emphasis"><em>mkdir &lt;name&gt;</em></span>, for
	example:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>mkdir mydir</code></strong>
      </pre>

      <p>
	By default, <span class="command"><strong>mkdir</strong></span> only creates one
	directory level. So, if you use <span class="command"><strong>mkdir</strong></span> to
	create <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">mydir/mysubdir</code></html:span>,
	<span class="command"><strong>mkdir</strong></span> will fail if
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">mydir</code></html:span> does not exist already. If you
	would like to create both directories at once, use the
	<em class="parameter"><code>-p</code></em> parameter:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>mkdir -p mydir/mysubdir</code></strong>
      </pre>

      <p>
	<span class="command"><strong>rmdir</strong></span> removes a directory. Its behavior is
	comparable to <span class="command"><strong>mkdir</strong></span>. <span class="command"><strong>rmdir
	mydir/mysubdir</strong></span> removes <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">mydir/subdir</code></html:span>,
	while <span class="command"><strong>rmdir -p mydir/mysubdir</strong></span> removes
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">mydir/mysubdir</code></html:span> and then
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">mydir</code></html:span>.
      </p>

      <p>
	If a subdirectory that we want to remove contains directory
	entries, <span class="command"><strong>rmdir</strong></span> will fail. If you would like
	to remove a directory, including all its contents, use the
	<span class="command"><strong>rm</strong></span> command instead. 
      </p>
    </div>
  </div>

  <div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="chap-filesystem-managing"></a>8.4. Managing files and directories</h2></div></div></div>
    

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-managing-copying"></a>8.4.1. Copying</h3></div></div></div>
      

      <p>
	Files and directories can be copied with the
	<span class="command"><strong>cp</strong></span> command. In its most basic syntax the
	source and the target file are specified. The following
	example will make a copy of <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">file1</code></html:span> named
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">file2</code></html:span>:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>cp file1 file2</code></strong>
      </pre>

      <p>
	It is not surprising that relative and absolute paths do also
	work:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>cp file1 somedir/file2</code></strong>
$ <strong class="userinput"><code>cp file1 /home/joe/design_documents/file2</code></strong>
      </pre>

      <p>
	You can also specify a directory as the second parameter. If
	this is the case, <span class="command"><strong>cp</strong></span> will make a copy of
	the file in that directory, giving it the same file name as
	the original file. If there is more than one parameter, the
	last parameter will be used as the target directory. For
	instance
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>cp file1 file2 somedir</code></strong>
      </pre>

      <p>
	will copy both <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">file1</code></html:span> and
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">file2</code></html:span> to the directory
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">somedir</code></html:span>. You can not copy multiple files
	to one file. You will have to use <span class="command"><strong>cat</strong></span>
	instead: 
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>cat file1 file2 &gt; combined_file</code></strong>
      </pre>

      <p>
	You can also use <span class="command"><strong>cp</strong></span> to copy directories, by
	adding the <em class="parameter"><code>-R</code></em>. This
	will recursively copy a directory and all its
	subdirectories. If the target directory exists, the source
	directory or directories will be placed under the target
	directory. If the target directory does not exist, it will be
	created if there is only one source directory.
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>cp -r mytree tree_copy</code></strong>
$ <strong class="userinput"><code>mkdir trees</code></strong>
$ <strong class="userinput"><code>cp -r mytree trees</code></strong>
      </pre>

      <p>
	After executing these commands, there are two copies of the directory
        <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">mytree</code></html:span>, <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">tree_copy</code></html:span> and
        <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">trees/mytree</code></html:span>. Trying to copy two directories to a nonexistent target
        directory will fail:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>cp -R mytree mytree2 newdir</code></strong>
usage: cp [-R [-H | -L | -P]] [-f | -i] [-pv] src target
       cp [-R [-H | -L | -P]] [-f | -i] [-pv] src1 ... srcN directory
      </pre>

      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="../images/note.png"></td>
<th align="left">Note</th>
</tr>
<tr><td align="left" valign="top">
	<p>
	  Traditionally, the <em class="parameter"><code>-r</code></em>
	  has been available on many UNIX systems to recursively copy
	  directories. However, the behavior of this parameter can be
	  implementation-dependent, and the Single UNIX Specification
	  version 3 states that it may be removed in future versions
	  of the standard.
	</p>
      </td></tr>
</table></div>

      <p>
	When you are copying files recursively, it is a good idea to
	specify the behavior of what <span class="command"><strong>cp</strong></span> should do
	when a symbolic link is encountered explicitly, if you want
	to use <span class="command"><strong>cp</strong></span> in portable scripts. The
	Single UNIX Specification version 3 does not specify how they
	should be handled by default. If <em class="parameter"><code>-P</code></em> is used, symbolic links will
	not be followed, effectively copying the link itself. If
	<em class="parameter"><code>-H</code></em> is used, symbolic
	links specified as a parameter to <span class="command"><strong>cp</strong></span> may be
	followed, depending on the type and content of the file. If
	<em class="parameter"><code>-L</code></em> is used, symbolic
	links that were specified as a parameter to
	<span class="command"><strong>cp</strong></span> and symbolic links that were encountered
	while copying recursively may be followed, depending on the
	content of the file.
      </p>

      <p>
	If you want to preserve the ownership, SGID/SUID bits, and the
	modification and access times of a file, you can use the
	<em class="parameter"><code>-p</code></em> flag. This will try to preserve
	these properties in the file or directory copy. Good
	implementations of <span class="command"><strong>cp</strong></span> provide some
	additional protection as well - if the target file already
	exists, it may not be overwritten if the relevant metadata
	could not be preserved.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-managing-moving"></a>8.4.2. Moving files and directories</h3></div></div></div>
      

      <p>
	The UNIX command for moving files, <span class="command"><strong>mv</strong></span>, can
	move or rename files or directories. What actually happens
	depends on the location of the files or directories. If the
	source and destination files or directories are on the same
	filesystem, <span class="command"><strong>mv</strong></span> usually just creates new
	hard links, effectively renaming the files or directories. If
	both are on different filesystems, the files are actually
	copied, and the source files or directories are
	unlinked.
      </p>

      <p>
	The syntax of <span class="command"><strong>mv</strong></span> is comparable to
	<span class="command"><strong>cp</strong></span>. The most basic syntax renames
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">file1</code></html:span> to <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">file2</code></html:span>:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>mv file1 file2</code></strong>
      </pre>

      <p>
	The same syntax can be used for two directories as well, which
	will rename the directory given as the first parameter to the
	second parameter.
      </p>

      <p>
	When the last parameter is an existing directory, the file or
	directory that is specified as the first parameter, is copied
	to that directory. In this case you can specify multiple files
	or directories as well. For instance:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>mkdir targetdir</code></strong>
$ <strong class="userinput"><code>mv file1 directory1 targetdir</code></strong>
      </pre>

      <p> This creates the directory <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">targetdir</code></html:span>, and moves
        <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">file1</code></html:span> and <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">directory1</code></html:span> to this directory. </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-managing-removing"></a>8.4.3. Removing files and directories</h3></div></div></div>
      

      <p>
	Files and directories can be removed with the <span class="citerefentry">
          <span class="refentrytitle">rm</span>
          (1)
        </span> command. This command unlinks files and directories. If there are no other
        links to a file, its inode and disk blocks can be reclaimed for new files. Files can be
        removed by providing the files that should be removed as a parameter to <span class="citerefentry">
          <span class="refentrytitle">rm</span>
          (1)
        </span>. If the file is not writable, <span class="citerefentry">
          <span class="refentrytitle">rm</span>
          (1)
        </span> will ask for confirmation. For instance, to remove
        <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">file1</code></html:span> and <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">file2</code></html:span>, you can execute: </p>

      <pre class="screen">
$ <strong class="userinput"><code>rm file1 file2</code></strong>
      </pre>

      <p>
	If you have to remove a large number of files that require a confirmation before they
        can be deleted, or if you want to use <span class="citerefentry">
          <span class="refentrytitle">rm</span>
          (1)
        </span> to remove files from a script that will not be run on a terminal, add the
          <em class="parameter"><code>-f</code></em> parameter to override the use of prompts. Files
        that are not writable, are deleted with the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">-f</code></html:span> flag if the file
        ownership allows this. This parameter will also suppress printing of errors to
          <span class="emphasis"><em>stderr</em></span> if a file that should be removed was not found. </p>

      <p> Directories can be removed recursively as well with the <em class="parameter"><code>-r</code></em> parameter. <span class="citerefentry">
          <span class="refentrytitle">rm</span>
          (1)
        </span> will traverse the directory structure, unlinking and removing directories as
        they are encountered. The same semantics are used as when normal files are removed, as far
        as the <em class="parameter"><code>-f</code></em> flag is concerned. To give a short example,
        you can recursively remove all files and directories in the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">notes</code></html:span>
        directory with: </p>

      <pre class="screen">
$ <strong class="userinput"><code>rm -r notes</code></strong>
      </pre>

      

      <p> Since <span class="citerefentry">
          <span class="refentrytitle">rm</span>
          (1)
        </span> command uses the <span class="citerefentry">
          <span class="refentrytitle">unlink</span>
          (2)
        </span> function, data blocks are not rewritten to an uninitialized state. The
        information in data blocks is only overwritten when they are reallocated and used at a later
        time. To remove files including their data blocks securely, some systems provide a <span class="citerefentry">
          <span class="refentrytitle">shred</span>
          (1)
        </span> command that overwrites data blocks with random data. But this is not
        effective on many modern (journaling) filesystems, because they don't write data in place. </p>

      <p> The <span class="citerefentry">
          <span class="refentrytitle">unlink</span>
          (1)
        </span> commands provides a one on one implementation of the <span class="citerefentry">
          <span class="refentrytitle">unlink</span>
          (2)
        </span> function. It is of relatively little use, because it can not remove
        directories. </p>
    </div>
  </div>

  <div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="chap-filesystem-permissions"></a>8.5. Permissions</h2></div></div></div>
    

    <p> We touched the subject of file and directory permissions in <a class="xref" href="chap-filesystem.html#chap-filesystem-introduction-permissions" title="8.1.2. File permissions">Section 8.1.2, “File permissions”</a>. In this section, we will look at the <span class="citerefentry">
        <span class="refentrytitle">chown</span>
        (1)
      </span> and <span class="citerefentry">
        <span class="refentrytitle">chmod</span>
        (1)
      </span> commands, that are used to set the file ownership and permissions
      respectively. After that, we are going to look at a modern extension to permissions named
      Access Control Lists (ACLs). </p>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-permissions-ownership"></a>8.5.1. Changing the file ownership</h3></div></div></div>
      

      <p> As we have seen earlier, every file has an owner (user) ID and a group ID stored in the
        inode. The <span class="citerefentry">
          <span class="refentrytitle">chown</span>
          (1)
        </span> command can be used to set these fields. This can be done by the numeric
        IDs, or their names. For instance, to change the owner of the file
        <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">note.txt</code></html:span> to <span class="emphasis"><em>john</em></span>, and its group to
        <span class="emphasis"><em>staff</em></span>, the following command is used: </p>

      <pre class="screen">
$ <strong class="userinput"><code>chown john:staff note.txt</code></strong>
      </pre>

      <p> You can also omit either components, to only set one of both fields. If you want to set
        the user name, you can also omit the colon. So, the command above can be split up in two
        steps: </p>

      <pre class="screen">
$ <strong class="userinput"><code>chown john note.txt</code></strong>
$ <strong class="userinput"><code>chown :staff note.txt</code></strong>
      </pre>

      <p> If you want to change the owner of a directory, and all the files or directories it
        holds, you can add the <em class="parameter"><code>-R</code></em> to <span class="citerefentry">
          <span class="refentrytitle">chown</span>
          (1)
        </span>: </p>

      <pre class="screen">
$ <strong class="userinput"><code>chown -R john:staff notes</code></strong>
      </pre>

      <p> If user and group names were specified, rather than IDs, the names are converted by <span class="citerefentry">
          <span class="refentrytitle">chown</span>
          (1)
        </span>. This conversion usually relies on the system-wide password database. If you
        are operating on a filesystem that uses another password database (e.g. if you mount a root
        filesystem from another system for recovery), it is often useful to change file ownership by
        the user or group ID. In this manner, you can keep the relevant user/group name to ID
        mappings in tact. So, changing the ownership of <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">note</code></html:span> to UID 1000 and
        GUID 1000 is done in the following (predictable) manner: </p>

      <pre class="screen">
$ <strong class="userinput"><code>chown 1000:1000 note.txt</code></strong>
      </pre>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-permissions-permbits"></a>8.5.2. Changing file permission bits</h3></div></div></div>
      

      <p> After reading the introduction to filesystem permissions in <a class="xref" href="chap-filesystem.html#chap-filesystem-introduction-permissions" title="8.1.2. File permissions">Section 8.1.2, “File permissions”</a>, changing the permission bits that
        are stored in the inode is fairly easy with the <span class="citerefentry">
          <span class="refentrytitle">chmod</span>
          (1)
        </span> command. <span class="citerefentry">
          <span class="refentrytitle">chmod</span>
          (1)
        </span> accepts both numeric and symbolic representations of permissions.
        Representing the permissions of a file numerically is very handy, because it allows setting
        all relevant permissions tersely. For instance: </p>

      <pre class="screen">
$ <strong class="userinput"><code>chmod 0644 note.txt</code></strong>
      </pre>

      <p> Make <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">note.txt</code></html:span> readable and writable for the owner of the file, and
        readable for the file group and others. </p>

      <p> Symbolic permissions work with addition or subtraction of rights, and allow for
        relative changes of file permissions. The syntax for symbolic permissions is: </p>

      <pre class="screen">
[ugo][-+][rwxst]
      </pre>

      <p> The first component specifies the user classes to which the permission change applies
        (user, group or other). Multiple characters of this component can be combined. The second
        component takes away rights (<span class="emphasis"><em>-</em></span>), or adds rights
        (<span class="emphasis"><em>+</em></span>). The third component is the access specifier (read, write, execute,
        set UID/GID on execution, sticky). Multiple components can be specified for this component
        too. Let's look at some examples to clear this up: </p>

      <pre class="screen">
ug+rw        # Give read/write rights to the file user and group
chmod go-x   # Take away execute rights from the file group and others.
chmod ugo-wx # Disallow all user classes to write to the file and to
             # execute the file.
      </pre>

      <p> These commands can be used in the following manner with chmod: </p>

      <pre class="screen">
$ <strong class="userinput"><code>chmod ug+rw note.txt</code></strong>
$ <strong class="userinput"><code>chmod go-x script1.sh</code></strong>
$ <strong class="userinput"><code>chmod ugo-x script2.sh</code></strong>
      </pre>

      <p> Permissions of files and directories can be changed recursively with the <em class="parameter"><code>-R</code></em>. The following command makes the directory
        <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">notes</code></html:span> world-readable, including its contents: </p>

      <pre class="screen">
$ <strong class="userinput"><code>chmod -R ugo+r notes</code></strong>
      </pre>

      <p> Extra care should be taken with directories, because the <span class="emphasis"><em>x</em></span> flag
        has a special meaning in a directory context. Users that have execute rights on directories
        can access a directory. User that don't have execute rights on directories can not. Because
        of this particular behavior, it is often easier to change the permissions of a directory
        structure and its files with help of the <span class="citerefentry">
          <span class="refentrytitle">find</span>
          (1)
        </span> command . </p>

      <p> There are a few extra permission bits that can be set that have a special meaning. The
        SUID and SGID are the most interesting bits of these extra bits. These bits change the
        active user ID or group ID to that of the owner or group of the file when the file is
        executed. The <span class="command"><strong>su(1)</strong></span> command is a good example of a file that usually has
        the SUID bit set: </p>

      <pre class="screen">
$ <strong class="userinput"><code>ls -l /bin/su</code></strong>
-rwsr-xr-x  1 root root 60772 Aug 13 12:26 /bin/su
      </pre>

      <p> This means that the <span class="command"><strong>su</strong></span> command runs as the user
        <span class="emphasis"><em>root</em></span> when it is executed. The SUID bit can be set with the
        <span class="emphasis"><em>s</em></span> modifier. For instance, if the SUID bit was not set on
          <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/bin/su</code></html:span> this could be done with: </p>

      <pre class="screen">
$ <strong class="userinput"><code>chmod u+s /bin/su</code></strong>
      </pre>

      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="../images/note.png"></td>
<th align="left">Note</th>
</tr>
<tr><td align="left" valign="top">
        <p> Please be aware that the SUID and SGID bits have
        security implications. If a program with these bits set
        contain a bug, it may be exploited to get privileges of the
        file owner or group. For this reason it is good manner to keep
        the number of files with the SUID and SGID bits set to an
        absolute minimum. </p>
      </td></tr>
</table></div>

      <p> The sticky bit is also interesting when it comes to
      directory. It disallows users to rename or unlink files that
      they do not own, in directories that they do have write access
      to. This is usually used on world-writeable directories, like
      the temporary directory (<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/tmp</code></html:span>) on many UNIX
      systems. The sticky tag can be set with the
      <span class="emphasis"><em>t</em></span> modifier: </p>

      <pre class="screen">
$ <strong class="userinput"><code>chmod g+t /tmp</code></strong>
      </pre>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-permissions-umask"></a>8.5.3. File creation mask</h3></div></div></div>
      

      <p>
	The question that remains is what initial permissions are used
	when a file is created.  This depends on two factors: the mode
	flag that was passed to the <span class="emphasis"><em>open(2)</em></span>
	system call, that is used to create a file, and the active
	file creation mask. The file creation mask can be represented
	as an octal number. The effective permissions for creating the
	file are determined as <span class="emphasis"><em>mode &amp;
	~mask</em></span>. Or, if represented in an octal fashion, you
	can substract the digits of the mask from the mode. For
	instance, if a file is created with permissions
	<span class="emphasis"><em>0666</em></span> (readable and writable by the file
	user, file group, and others), and the effective file creation
	mask is <span class="emphasis"><em>0022</em></span>, the effective file
	permission will be <span class="emphasis"><em>0644</em></span>. Let's look at
	another example. Suppose that files are still created with
	<span class="emphasis"><em>0666</em></span> permissions, and you are more
	paranoid, and want to take away all read and write permissions
	for the file group and others. This means you have to set the
	file creation mask to <span class="emphasis"><em>0066</em></span>, because
	substracting <span class="emphasis"><em>0066</em></span> from
	<span class="emphasis"><em>0666</em></span> yields
	<span class="emphasis"><em>0600</em></span>
      </p>
      
      <p>
        The effective file creation mask can be queried and set with
        the <span class="command"><strong>umask</strong></span> command, that is normally a
        built-in shell command. The effective mask can be printed by
        running <span class="command"><strong>umask</strong></span> without any parameters:
      </p>
      
      <pre class="screen">
$ <strong class="userinput"><code>umask</code></strong>
0002
      </pre>
      
      <p>
        The mask can be set by giving the octal mask number as a
        parameter. For instance:
      </p>
      
      <pre class="screen">
$ <strong class="userinput"><code>umask 0066</code></strong>
      </pre>
      
      <p>
        We can verify that this works by creating an empty file:
      </p>
      
      <pre class="screen">
$ <strong class="userinput"><code>touch test</code></strong>
$ <strong class="userinput"><code>ls -l test</code></strong>
-rw-------  1 daniel daniel 0 Oct 24 00:10 test2
      </pre>
      
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-permissions-acl"></a>8.5.4. Access Control Lists</h3></div></div></div>
      

      <p>
	Access Control lists (<acronym class="acronym">ACL</acronym>s) are an
	extension to traditional UNIX file permissions, that allow for
	more fine-grained access control. Most systems that support
	filesystem ACLs implement them as they were specified in the
	POSIX.1e and POSIX.2c draft specifications. Notable UNIX and
	UNIX-like systems that implement ACLs according to this draft
	are FreeBSD, Solaris, and Linux.
      </p>

      <p>
	As we have seen in <a class="xref" href="chap-filesystem.html#chap-filesystem-introduction-permissions" title="8.1.2. File permissions">Section 8.1.2, “File permissions”</a> access
	control lists allows you to use read, write and execute
	triplets for additional users or groups. In contrast to the
	traditional file permissions, additional access control lists
	are not stored directly in the node, but in extended
	attributes that are associated with files. Two thing to be
	aware of when you use access control lists is that not all
	systems support them, and not all programs support them.
      </p>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="chap-filesystem-permissions-acl-reading"></a>8.5.4.1. Reading access control lists</h4></div></div></div>
	

	<p>
	  On most systems that support ACLs, <span class="command"><strong>ls</strong></span>
	  uses a visual indicator to show that there are ACLs
	  associated with a file. For example:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>ls -l index.html</code></strong>
-rw-r-----+ 1 daniel daniel 3254 2006-10-31 17:11 index.html
	</pre>

	<p>
	  As you can see, the permissions column shows an additional
	  plus (<span class="emphasis"><em>+</em></span>) sign. The permission bits do
	  not quite act like you expect them to be. We will get to
	  that in a minute.
	</p>

	<p>
	  The ACLs for a file can be queried with the
	  <span class="command"><strong>getfacl</strong></span> command:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>getfacl index.html</code></strong>
# file: index.html
# owner: daniel
# group: daniel
user::rw-
group::---
group:www-data:r--
mask::r--
other::---
	</pre>

	<p>
	  Most lines can be interpreted very easily: the file user has
	  read/write permissions, the file group no permissions, users
	  of the group <span class="emphasis"><em>www-data</em></span> have read
	  permissions, and other users have no permissions. But why
	  does the group entry list no permissions for the file group,
	  while <span class="command"><strong>ls</strong></span> does? The secret is that if
	  there is a <span class="emphasis"><em>mask</em></span> entry,
	  <span class="command"><strong>ls</strong></span> displays the value of the mask, rather
	  than the file group permissions.
	</p>

	<p>
	  The <span class="emphasis"><em>mask</em></span> entry is used to restrict all
	  list entries with the exception of that of the file user,
	  and that for other users. It is best to memorize the
	  following rules for interpreting ACLs:
	</p>

	<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
	    <p>
	      The <span class="emphasis"><em>user::</em></span> entry permissions
	      correspond with the permissions of the file owner.
	    </p>
	  </li>
<li class="listitem">
	    <p>
	      The <span class="emphasis"><em>group::</em></span> entry permissions
	      correspond with the permissions of the file group,
	      unless there is a <span class="emphasis"><em>mask::</em></span> entry. If
	      there is a <span class="emphasis"><em>mask::</em></span> entry, the
	      permissions of the group correspond to the group
	      entry with the the mask entry as the maximum of allowed
	      permissions (meaning that the group restrictions can be
	      more restrictive, but not more permissive).
	    </p>
	  </li>
<li class="listitem">
	    <p>
	      The permissions of other users and groups correspond to
	      their <span class="emphasis"><em>user:</em></span> and
	      <span class="emphasis"><em>group:</em></span> entries, with the value of
	      <span class="emphasis"><em>mask::</em></span> as their maximum
	      permissions.
	    </p>
	  </li>
</ul></div>

	<p>
	  The second and third rules can clearly be observed if there
	  is a user or group that has more rights than the mask for
	  the file:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>getfacl links.html</code></strong>
# file: links.html
# owner: daniel
# group: daniel
user::rw-
group::rw-                      #effective:r--
group:www-data:rw-              #effective:r--
mask::r--
other::---
	</pre>

	<p>
	  Although read and write permissions are specified for the
	  file and <span class="emphasis"><em>www-data</em></span> groups, both groups
	  will effectively only have read permission, because this is
	  the maximal permission that the mask allows.
	</p>

	<p>
	  Another aspect to pay attention to is the handling of ACLs
	  on directories. Access control lists can be added to
	  directories to govern access, but directories can also have
	  <span class="emphasis"><em>default ACLs</em></span> which specify the initial
	  ACLs for files and directories created under that directory.
	</p>

	<p>
	  Suppose that the directory <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">reports</code></html:span> has
	  the following ACL:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>getfacl reports</code></strong>
# file: reports
# owner: daniel
# group: daniel
user::rwx
group::r-x
group:www-data:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:www-data:r-x
default:mask::r-x
default:other::---
	</pre>

	<p>
	  New files that are created in the
	  <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">reports</code></html:span> directory get a ACL based on
	  the entries that have <span class="emphasis"><em>default:</em></span> as a
	  prefix. For example:
	</p>

	<pre class="screen">
$ touch reports/test
$ getfacl reports/test
# file: reports/test
# owner: daniel
# group: daniel
user::rw-
group::r-x                      #effective:r--
group:www-data:r-x              #effective:r--
mask::r--
other::---
	</pre>

	<p>
	  As you can see, the default ACL was copied. The execute bit
	  is removed from the mask, because the new file was not
	  created with execute permissions.
	</p>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="chap-filesystem-permissions-acl-setting"></a>8.5.4.2. Creating access control lists</h4></div></div></div>
	

	<p>
	  The ACL for a file or directory can be changed with the
	  <span class="command"><strong>setfacl</strong></span> program. Unfortunately, the
	  usage of this program highly depends on the system that
	  is being used. To add to that confusion, at least one
	  important flag (<em class="parameter"><code>-d</code></em>)
	  has a different meanings on different systems. One can
	  only hope that this command will get standardized.
	</p>

	<div class="table">
<a name="chap-filesystem-permissions-acl-setting-flags"></a><p class="title"><b>Table 8.4. System-specific <span class="command">setfacl</span> flags</b></p>
<div class="table-contents">
	  
	  
	  <table summary="System-specific setfacl flags" border="1">
<colgroup>
<col>
<col>
</colgroup>
<thead><tr>
<th>Operation</th>
<th>Linux</th>
</tr></thead>
<tbody>
<tr>
<td>Set entries, removing all old entries</td>
<td><em class="parameter"><code>--set</code></em></td>
</tr>
<tr>
<td>Modify entries</td>
<td><em class="parameter"><code>-m</code></em></td>
</tr>
<tr>
<td>Modify default ACL entries</td>
<td><em class="parameter"><code>-d</code></em></td>
</tr>
<tr>
<td>Delete entry</td>
<td><em class="parameter"><code>-x</code></em></td>
</tr>
<tr>
<td>
		  Remove all ACL entries (except for the three
		  required entries).
		</td>
<td><em class="parameter"><code>-b</code></em></td>
</tr>
<tr>
<td>Recalculate mask</td>
<td>
		  Always recalculated, unless <em class="parameter"><code>-n</code></em> is used, or an mask
		  entry expicitly specified.
		</td>
</tr>
<tr>
<td>Use ACL specification from a file</td>
<td>
		  <em class="parameter"><code>-M</code></em> (modify),
		  <em class="parameter"><code>-X</code></em> (delete),
		  or <em class="parameter"><code>--restore</code></em>
		</td>
</tr>
<tr>
<td>Recursive modification of ACLs</td>
<td><em class="parameter"><code>-R</code></em></td>
</tr>
</tbody>
</table>
	</div>
</div>
<br class="table-break">

	<p>
	  As we have seen in the previous section, entries can be
	  specified for users and groups, by using the following
	  syntax:
	  <span class="emphasis"><em>user/group:name:permissions</em></span>. Permissions
	  can be specified as a triplet by using the letters
	  <span class="emphasis"><em>r</em></span> (read), <span class="emphasis"><em>w</em></span>
	  (write), or <span class="emphasis"><em>x</em></span> (execute). A dash
	  (<span class="emphasis"><em>-</em></span>) should be used for permissions that
	  you do not want to give to the user or group, since Solaris
	  requires this. If you want to disallow access completely,
	  you can use the <span class="emphasis"><em>---</em></span> triplet.
	</p>

	<p>
	  The specification for other users, and the mask
	  follows this format: <span class="emphasis"><em>other:r-x</em></span>. The
	  following slightly more predictable format can also be
	  used: <span class="emphasis"><em>other::r-x</em></span>.
	</p>

	<div class="sect4">
<div class="titlepage"><div><div><h5 class="title">
<a name="chap-filesystem-permissions-acl-setting-modify"></a>8.5.4.2.1. Modifying ACL entries</h5></div></div></div>
	  

	  <p>
	    The simplest operation is to modify an ACL entry. This
	    will create a new entry if the entry does not exist
	    yet. Entries can be modified with the <em class="parameter"><code>-m</code></em>. For instance, suppose that
	    we want to give the group <span class="emphasis"><em>friend</em></span> read
	    and write access to the file
	    <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">report.txt</code></html:span>. This can be done with:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>setfacl -m group:friends:rw- report.txt</code></strong>
	  </pre>

	  <p>
	    The mask entry will be recalculated, setting it to the
	    union of all group entries, and additional user entries:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>getfacl report.txt</code></strong>
# file: report.txt
# owner: daniel
# group: daniel
user::rw-
group::r--
group:friends:rw-
mask::rw-
other::r--
	  </pre>

	  <p>
	    You can combine multiple ACL entries
	    by separating them with a comma character. For instance:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>setfacl -m group:friends:rw-,group:foes:--- report.txt</code></strong>
	  </pre>
	</div>

	<div class="sect4">
<div class="titlepage"><div><div><h5 class="title">
<a name="chap-filesystem-permissions-acl-setting-removing"></a>8.5.4.2.2. Removing ACL entries</h5></div></div></div>
	  

	  <p>
	    An entry can be removed with the <em class="parameter"><code>-x</code></em> option:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>setfacl -x group:friends: report.txt</code></strong>
	  </pre>

	  <p>
	    The trailing colon can optionally be omitted.
	  </p>
	</div>

	<div class="sect4">
<div class="titlepage"><div><div><h5 class="title">
<a name="chap-filesystem-permissions-acl-setting-new"></a>8.5.4.2.3. Making a new ACL</h5></div></div></div>
	  

	  <p>
	    The <em class="parameter"><code>--set</code></em> option
	    is provided create a new access control list
	    for a file, clearing all existing entries,
	    except for the three required entries.
	    It is required that the file user, group and
	    other entries are also specified. For example:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>setfacl --set user::rw-,group::r--,other:---,group:friends:rwx report.txt</code></strong>
	  </pre>

	  <p>
	    If you do not want to clean the user, group, and other
	    permissions, but do want to clear all other ACL entries,
	    you can use the <em class="parameter"><code>-b</code></em>
	    option. The following example uses this in combination
	    with the <em class="parameter"><code>-m</code></em> option
	    to clear all ACL entries (except for user, group, and other),
	    and to add an entry for the <span class="emphasis"><em>friends</em></span>
	    group:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>setfacl -b -m group:friends:rw- report.txt</code></strong>
	  </pre>
	</div>

	<div class="sect4">
<div class="titlepage"><div><div><h5 class="title">
<a name="chap-filesystem-permissions-acl-setting-default"></a>8.5.4.2.4. Setting a default ACL</h5></div></div></div>
	  

	  <p>
	    As we have seen in <a class="xref" href="chap-filesystem.html#chap-filesystem-permissions-acl" title="8.5.4. Access Control Lists">Section 8.5.4, “Access Control Lists”</a>, directories
	    can have default ACL entries that specify what permissions
	    should be used for files and directories that are created
	    below that directory. The <em class="parameter"><code>-d</code></em>
	    option is used to operate on default entries:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>setfacl -d -m group:friends:rwx reports</code></strong>
$ <strong class="userinput"><code>getfacl reports</code></strong>
# file: reports
# owner: daniel
# group: daniel
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:friends:rwx
default:mask::rwx
default:other::r-x
	  </pre>
	</div>

	<div class="sect4">
<div class="titlepage"><div><div><h5 class="title">
<a name="chap-filesystem-permissions-acl-setting-filesource"></a>8.5.4.2.5. Using an ACL from a reference file</h5></div></div></div>
	  

	  <p>
	    You can also use an ACL specification from file, rather
	    than specifying it on the command line. An input file follows
	    the same
	    syntax as specifying entries as a parameter to
	    <span class="command"><strong>setfacl</strong></span>, but the entries are separated
	    by newlines, rather than by commas. This is very useful,
	    because you can use the ACL for an existing file as a
	    reference:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>getfacl report.txt &gt; ref</code></strong>
	  </pre>

	  <p>
	    The <em class="parameter"><code>-M</code></em> option
	    is provided to modify the ACL for a
	    file by reading the entries from a file. So, if we have a
	    file named <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">report2.txt</code></html:span>, we could
	    modify the ACL for this file with the entries from
	    <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">ref</code></html:span> with:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>setfacl -M ref report2.txt</code></strong>
	  </pre>

	  <p>
	    If you would like to start with a clean ACL, and add the
	    entries from <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">ref</code></html:span>, you can add the
	    <em class="parameter"><code>-b</code></em> flag that we
	    encountered earlier:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>setfacl -b -M ref report2.txt</code></strong>
	  </pre>

	  <p>
	    Of course, it is not necessary to use this interim
	    file. We can directly pipe the output from
	    <span class="command"><strong>getfacl</strong></span> to <span class="command"><strong>setfacl</strong></span>,
	    by using the symbolic name for the standard input
	    (<span class="emphasis"><em>-</em></span>), rather than the name of a file:
	  </p>

	  <pre class="screen">
$ <strong class="userinput"><code>getfacl report.txt | setfacl -b -M - report2.txt</code></strong>
	  </pre>

	  <p>
	    The <em class="parameter"><code>-X</code></em> removes
	    the ACL entries defined in a file. This follows the same syntax as the
	    <em class="parameter"><code>-x</code></em> flag, with
	    commas replaced by newlines.
	  </p>
	</div>
      </div>
    </div>
  </div>

  <div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="chap-filesystem-finding"></a>8.6. Finding files</h2></div></div></div>
    

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-finding-find"></a>8.6.1. find</h3></div></div></div>
      

      <p>
	The <span class="command"><strong>find</strong></span> command is without doubt the most
	comprehensive utility to find files on UNIX systems. Besides
	that it works in a simple and predictable way:
	<span class="command"><strong>find</strong></span> will traverse the directory tree or
	trees that are specified as a parameter to
	<span class="command"><strong>find</strong></span>. Besides that a user can specify an
	expression that will be evaluated for each file and directory.
	The name of a file or directory will be printed if the
	expression evaluates to <span class="emphasis"><em>true</em></span>. The first
	argument that starts with a dash (<span class="emphasis"><em>-</em></span>),
	exclamation mark (<span class="emphasis"><em>!</em></span>, or an opening
	parenthesis (<span class="emphasis"><em>(</em></span>, signifies the start of
	the expression. The expression can consist of various
	operands.  To wrap it up, the syntax of
	<span class="command"><strong>find</strong></span> is: <span class="emphasis"><em>find paths
	expression</em></span>.
      </p>

      <p>
	The simplest use of <span class="command"><strong>find</strong></span> is to use no
	expression.  Since this matches every directory and subdirectory
	entry, all files and directories will be printed. For instance:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>find .</code></strong>
.
./economic
./economic/report.txt
./economic/report2.txt
./technical
./technical/report2.txt
./technical/report.txt
      </pre>

      <p>
	You can also specify multiple directories:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>find economic technical</code></strong>
economic
economic/report.txt
economic/report2.txt
technical
technical/report2.txt
technical/report.txt
      </pre>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="chap-filesystem-finding-find-nametype"></a>8.6.1.1. Operands that limit by object name or type</h4></div></div></div>
	

	<p>
	  One common scenario for finding files or directories is to
	  look them up by name. The <span class="emphasis"><em>-name</em></span> operand
	  can be used to match objects that have a certain name, or
	  match a particular wildcard. For instance, using the operand
	  <span class="emphasis"><em>-name 'report.txt'</em></span> will only be true
	  for files or directories with the name
	  <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">report.txt</code></html:span>. For example:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find economic technical -name 'report.txt'</code></strong>
economic/report.txt
technical/report.txt
	</pre>

	<p>
	  The same thing holds for wildcards:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find economic technical -name '*2.txt'</code></strong>
economic/report2.txt
technical/report2.txt
	</pre>

	<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="../images/note.png"></td>
<th align="left">Note</th>
</tr>
<tr><td align="left" valign="top">
	  <p>
	    When using <span class="command"><strong>find</strong></span> you will want to pass
	    the wildcard to <span class="command"><strong>find</strong></span>, rather than
	    letting the shell expand it. So, make sure that patterns
	    are either quoted, or that wildcards are escaped.
	  </p>
	</td></tr>
</table></div>

	<p>
	  It is also possible to evaluate the type of the object with
	  the <span class="emphasis"><em>-type c</em></span> operand, where
	  <span class="emphasis"><em>c</em></span> specifies the type to be matched.
	  <a class="xref" href="chap-filesystem.html#chap-filesystem-finding-find-nametype-type-params" title="Table 8.5. Parameters for the '-type' operand">Table 8.5, “Parameters for the '-type' operand”</a> lists the various object types that can be used.
	</p>

	<div class="table">
<a name="chap-filesystem-finding-find-nametype-type-params"></a><p class="title"><b>Table 8.5. Parameters for the '-type' operand</b></p>
<div class="table-contents">
	  

	  <table summary="Parameters for the '-type' operand" border="1">
<colgroup>
<col>
<col>
</colgroup>
<thead><tr>
<th>Parameter</th>
<th>Meaning</th>
</tr></thead>
<tbody>
<tr>
<td>b</td>
<td>Block device file</td>
</tr>
<tr>
<td>c</td>
<td>Character device file</td>
</tr>
<tr>
<td>d</td>
<td>Directory</td>
</tr>
<tr>
<td>f</td>
<td>Regular file</td>
</tr>
<tr>
<td>l</td>
<td>Symbolic link</td>
</tr>
<tr>
<td>p</td>
<td>FIFO</td>
</tr>
<tr>
<td>s</td>
<td>Socket</td>
</tr>
</tbody>
</table>
	</div>
</div>
<br class="table-break">

	<p>
	  So, for instance, if you would like to match directories,
	  you could use the <span class="emphasis"><em>d</em></span> parameter to
	  <span class="emphasis"><em>-type</em></span> operand:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -type d</code></strong>
.
./economic
./technical
	</pre>

	<p>
	  We will look at forming a complex expression at the end of
	  this section about <span class="command"><strong>find</strong></span>, but at this
	  moment it is handy to know that you can make a boolean 'and'
	  expression by specifying multiple operands. For instance
	  <span class="emphasis"><em>operand1 operand2</em></span> is true if both
	  <span class="emphasis"><em>operand1</em></span> and
	  <span class="emphasis"><em>operand2</em></span> are true for the object that
	  is being evaluated. So, you could combine the
	  <span class="emphasis"><em>-name</em></span> and <span class="emphasis"><em>-type</em></span>
	  operands to find all directories that start with
	  <span class="emphasis"><em>eco</em></span>:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -name 'eco*' -type d</code></strong>
./economic
	</pre>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="chap-filesystem-finding-find-perms"></a>8.6.1.2. Operands that limit by object ownership or permissions</h4></div></div></div>
	

	<p>
	  Besides matching objects by their name or type, you can also
	  match them by their active permissions or the object ownership.
	  This is often useful to find files that have incorrect permissions
	  or ownership.
	</p>

	<p>
	  The owner (user) or group of an object can be matched with
	  respectively the <span class="emphasis"><em>-user username</em></span> and
	  <span class="emphasis"><em>-group groupname</em></span> variants. The name of
	  a user or group will be interpreted as a user ID or group ID
	  if the name is decimal, and could not be found on the system
	  with
	  <span class="citerefentry"><span class="refentrytitle">getpwnam</span>(3)</span>
	  or
	  <span class="citerefentry"><span class="refentrytitle">getgrnam</span>(3)</span>. So,
	  if you would like to match all objects of which
	  <span class="emphasis"><em>joe</em></span> is the owner, you can use
	  <span class="emphasis"><em>-user joe</em></span> as an operand:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -user joe</code></strong>
./secret/report.txt
	</pre>

	<p>
	  Or to find all objects with the group
	  <span class="emphasis"><em>friend</em></span> as the file group:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -group friends</code></strong>
./secret/report.txt
	</pre>

	<p>
	  The operand for checking file permissions
	  <span class="emphasis"><em>-perm</em></span> is less trivial. Like the
	  <span class="command"><strong>chmod</strong></span> command this operator can work with
	  octal and symbolic permission notations. We will start with
	  looking at the octal notation. If an octal number is
	  specified as a parameter to the <span class="emphasis"><em>-perm</em></span>
	  operand, it will match all objects that have exactly that
	  permissions. For instance, <span class="emphasis"><em>-perm 0600</em></span>
	  will match all objects that are only readable and writable
	  by the user, and have no additional flags set:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -perm 0600</code></strong>
./secret/report.txt
	</pre>

	<p>
	  If a dash is added as a prefix to a number, it will match
	  every object that has at least the bits set that are
	  specified in the octal number. A useful example is to find
	  all files which have at least writable bits set for
	  <span class="emphasis"><em>other</em></span> users with <span class="emphasis"><em>-perm
	  -0002</em></span>. This can help you to find device nodes or
	  other objects with insecure permissions.
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find /dev -perm -0002</code></strong>
/dev/null
/dev/zero
/dev/ctty
/dev/random
/dev/fd/0
/dev/fd/1
/dev/fd/2
/dev/psm0
/dev/bpsm0
/dev/ptyp0
	</pre>

	<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="../images/note.png"></td>
<th align="left">Note</th>
</tr>
<tr><td align="left" valign="top">
	  <p>
	    Some device nodes have to be world-writable for a UNIX
	    system to function correctly. For instance, the
	    <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/dev/null</code></html:span> device is always writable.
	  </p>
	</td></tr>
</table></div>

	<p>
	  The symbolic notation of <span class="emphasis"><em>-perm</em></span>
	  parameters uses the same notation as the
	  <span class="command"><strong>chmod</strong></span> command.  Symbolic permissions are
	  built with a file mode where all bits are cleared, so it is
	  never necessary to use a dash to take away rights. This also
	  prevents ambiguity that could arise with the dash
	  prefix. Like the octal syntax, prefixing the permission with
	  a dash will match objects that have at least the specified
	  permission bits set. The use of symbolic names is quite
	  predictable - the following two commands repeat the previous
	  examples with symbolic permissions:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -perm u+rw</code></strong>
./secret/report.txt
	</pre>

	<pre class="screen">
$ <strong class="userinput"><code>find /dev -perm -o+w</code></strong>
/dev/null
/dev/zero
/dev/ctty
/dev/random
/dev/fd/0
/dev/fd/1
/dev/fd/2
/dev/psm0
/dev/bpsm0
/dev/ptyp0
	</pre>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="chap-filesystem-finding-find-time"></a>8.6.1.3. Operands that limit by object creation time</h4></div></div></div>
	

	<p>
	  There are three operands that operate on time intervals.
	  The syntax of the operand is <span class="emphasis"><em>operand n</em></span>,
	  where <span class="emphasis"><em>n</em></span> is the time in days. All three
	  operators calculate a time delta in seconds that is divided
	  by the the number of seconds in a day (86400), discarding
	  the remainder. So, if the delta is one day,
	  <span class="emphasis"><em>operand 1</em></span> will match for the
	  object. The three operands are:
	</p>

	<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
	    <p>
	      <span class="emphasis"><em>-atime n</em></span> - this operand evaluates
	      to true if the initialization time of <span class="command"><strong>find</strong></span>
	      minus the last access time of the object equals
	      to <span class="emphasis"><em>n</em></span>.
	    </p>
	  </li>
<li class="listitem">
	    <p>
	      <span class="emphasis"><em>-ctime n</em></span> - this operand evaluates
	      to true if the initialization time of
	      <span class="command"><strong>find</strong></span> minus the time of the latest
	      change in the file status information equals to
	      <span class="emphasis"><em>n</em></span>.
	    </p>
	  </li>
<li class="listitem">
	    <p>
	      <span class="emphasis"><em>-mtime n</em></span> - this operand evaluates
	      to true if the initialization time of
	      <span class="command"><strong>find</strong></span> minus the latest file change
	      time equals to <span class="emphasis"><em>n</em></span>.
	    </p>
	  </li>
</ul></div>

	<p>
	  So, these operands match if the latest access, change,
	  modification respectively was <span class="emphasis"><em>n</em></span> days
	  ago. To give an example, the following command shows all
	  objects in <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/etc</code></html:span> that have been modified
	  one day ago:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find /etc -mtime 1</code></strong>
/etc
/etc/group
/etc/master.passwd
/etc/spwd.db
/etc/passwd
/etc/pwd.db
	</pre>

	<p>
	  The plus or minus sign can be used as modifiers for the meaning
	  of <span class="emphasis"><em>n</em></span>. <span class="emphasis"><em>+n</em></span> means more
	  than <span class="emphasis"><em>n</em></span> days, <span class="emphasis"><em>-n</em></span>
	  means less than <span class="emphasis"><em>n</em></span> days. So, to find all
	  files in <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/etc</code></html:span> that were modified less
	  than two days ago, you could execute:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find /etc -mtime -2</code></strong>
/etc
/etc/network/run
/etc/network/run/ifstate
/etc/resolv.conf
/etc/default
/etc/default/locale
[...]
	</pre>

	<p>
	  Another useful time-based operand is the <span class="emphasis"><em>-newer
	  reffile</em></span> operand. This matches all files that were
	  modified later that the file with filename
	  <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">reffile</code></html:span>. The following example shows how
	  you could use this to list all files that have later modification
	  times than <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">economic/report2.txt</code></html:span>:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -newer economic/report2.txt</code></strong>
.
./technical
./technical/report2.txt
./technical/report.txt
./secret
./secret/report.txt
	</pre>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="chap-filesystem-finding-find-depth"></a>8.6.1.4. Operands that affect tree traversal</h4></div></div></div>
	

	<p>
	  Some operands affect the manner in which the
	  <span class="command"><strong>find</strong></span> command traverses the tree. The
	  first of these operands is the <span class="emphasis"><em>-xdev</em></span>
	  operand. <span class="emphasis"><em>-xdev</em></span> prevents that
	  <span class="command"><strong>find</strong></span> decends into directories that have a
	  different device ID, effectively avoiding traversal of other
	  filesystems. The directory to which the filesystem is
	  mounted, is printed, because this operand always returns
	  <span class="emphasis"><em>true</em></span>. A nice example is a system where
	  <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/usr</code></html:span> is mounted on a different filesystem
	  than <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/</code></html:span>. For instance, if we search for
	  directories with the name <span class="emphasis"><em>bin</em></span>, this may
	  yield the following result:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find / -name 'bin' -type d</code></strong>
/usr/bin
/bin
	</pre>

	<p>
	  But if we add <span class="emphasis"><em>-xdev</em></span>
	  <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/usr/bin</code></html:span> is not found, because it is on
	  a different filesystem (and device):
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find / -name 'bin' -type d -xdev</code></strong>
/bin
	</pre>

	<p>
	  The <span class="emphasis"><em>-depth</em></span> operand modifies the order
	  in which directories are evaluated. With
	  <span class="emphasis"><em>-depth</em></span> the contents of a directory are
	  evaluated first, and then the directory itself. This can be
	  witnessed in the following example:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -depth</code></strong>
./economic/report.txt
./economic/report2.txt
./economic
./technical/report2.txt
./technical/report.txt
./technical
.
	</pre>

	<p>
	  As you can see in the output, files in the
	  <span class="emphasis"><em>./economic</em></span> directory is evaluated
	  before <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">.</code></html:span>, and
	  <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">./economic/report.txt</code></html:span> before
	  <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">./economic</code></html:span>. <span class="emphasis"><em>-depth</em></span>
	  always evaluates to <span class="emphasis"><em>true</em></span>.
	</p>

	<p>
	  Finally, the <span class="emphasis"><em>-prune</em></span> operand causes find
	  not to decend into a directory that is being evaluated.
	  <span class="emphasis"><em>-prune</em></span> is discarded if the
	  <span class="emphasis"><em>-depth</em></span> operand is also
	  used. <span class="emphasis"><em>-prune</em></span> always evaluates to
	  <span class="emphasis"><em>true</em></span>.
	</p>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="chap-filesystem-finding-find-exec"></a>8.6.1.5. Operands that execute external utilities</h4></div></div></div>
	

	<p>
	  <span class="command"><strong>find</strong></span> becomes a very powerful tool when it
	  is combined with external utilities. This can be done with
	  the <span class="emphasis"><em>-exec</em></span> operand. There are two
	  syntaxes for the <span class="emphasis"><em>-exec</em></span> operand. The
	  first syntax is <span class="emphasis"><em>-exec utility arguments
	  ;</em></span>. The command <span class="emphasis"><em>utility</em></span> will
	  be executed with the arguments that were specified for each
	  object that is being evaluated. If any of the arguments is
	  <span class="emphasis"><em>{}</em></span>, these braces will be replaced by
	  the file being evaluated. This is very handy, especially when
	  we consider that, if we use no additional expression syntax,
	  operands will be evaluated from left to right. Let's look at
	  an example:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -perm 0666 -exec chmod 0644 {} \;</code></strong>
	</pre>

	<p>
	 The first operand returns true for files that have their
	 permissions set to <span class="emphasis"><em>0666</em></span>. The second
	 operand executes <span class="emphasis"><em>chmod 0644 filename</em></span> for
	 each file that is being evaluated. If you were wondering why
	 this command is not executed for every file, that is a good
	 question. Like many other interpreters of expressions,
	 <span class="command"><strong>find</strong></span> uses <span class="quote">“<span class="quote">short-circuiting</span>”</span>.
	 Because no other operator was specified, the logical
	 <span class="emphasis"><em>and</em></span> operator is automatically is assumed
	 between both operands. If the first operand evaluates to
	 <span class="emphasis"><em>false</em></span>, it makes no sense to evaluate any
	 further operands, because the complete expression will always
	 evaluate to false. So, the <span class="emphasis"><em>-exec</em></span> operand
	 will only be evaluated if the first operand is true. Another
	 particularity is that the semi-colon that closes the
	 <span class="emphasis"><em>-exec</em></span> is escaped, to prevent that the
	 shell parses it.
	</p>

	<p>
	  A nice thing about the <span class="emphasis"><em>-exec</em></span> operator
	  is that it evaluates to <span class="emphasis"><em>true</em></span> if the
	  command terminated sucessfully. So, you could also use
	  the <span class="emphasis"><em>-exec</em></span> command to add additional
	  conditions that are not represented by <span class="command"><strong>find</strong></span>
	  operands. For instance, the following command prints
	  all objects ending with <span class="emphasis"><em>.txt</em></span> that contain
	  the string <span class="emphasis"><em>gross income</em></span>:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -name '*.txt' -exec grep -q 'gross income' {} \; -print</code></strong>
./economic/report2.txt
	</pre>

	<p>
	  The <span class="command"><strong>grep</strong></span> command will be covered later on.
	   But for the moment, it is enough to know
	  that it can be used to match text patterns. The
	  <span class="emphasis"><em>-print</em></span> operand prints the current
	  object path. It is always used implicitly, except when the
	  <span class="emphasis"><em>-exec</em></span> or <span class="emphasis"><em>-ok</em></span>
	  operands are used. 
	</p>

	<p>
	  The second syntax of the <span class="emphasis"><em>-exec</em></span> operand
	  is <span class="emphasis"><em>-exec utility arguments {} +</em></span>. This
	  gathers a set of all matched object for which the expression
	  is true, and provides this set of files as an argument to
	  the utility that was specified. The first example of the
	  <span class="emphasis"><em>-exec</em></span> operand can also be written as:
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . -perm 0666 -exec chmod 0644 {} +</code></strong>
	</pre>

	<p>
	  This will execute the <span class="command"><strong>chmod</strong></span> command only
	  once, with all files for which the expression is true as its
	  arguments. This operand always returns <span class="emphasis"><em>true</em></span>.
	</p>

	<p>
	  If a command executed by find returns a non-zero value
	  (meaning that the execution of the command was not
	  succesful), <span class="command"><strong>find</strong></span> should also return a
	  non-zero value.
	</p>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="chap-filesystem-finding-find-operators"></a>8.6.1.6. Operators for building complex expressions</h4></div></div></div>
	

	<p>
	  <span class="command"><strong>find</strong></span> provides some operators that can be
	  combined to make more complex expressions:
	</p>

	<div class="variablelist">
<p class="title"><b>Operators</b></p>
<dl class="variablelist">
<dt><span class="term">( expr )</span></dt>
<dd>
	      <p>
		Evaluates to <span class="emphasis"><em>true</em></span> if
		<span class="emphasis"><em>expr</em></span> evaluates to
		<span class="emphasis"><em>true</em></span>.
	      </p>
	    </dd>
<dt><span class="term">expr1 [-a] expr2</span></dt>
<dd>
	      <p>
		Evaluates to <span class="emphasis"><em>true</em></span> if both
		<span class="emphasis"><em>expr1</em></span> and <span class="emphasis"><em>expr2</em></span>
		are true. If <span class="emphasis"><em>-a</em></span> is omitted,
		this operator is implicitly assumed.
	      </p>

	      <p>
		<span class="command"><strong>find</strong></span> will use short-circuiting when
		this operator is evaluated: <span class="emphasis"><em>expr2</em></span>
		will not be evaluated when <span class="emphasis"><em>expr1</em></span>
		evaluates to <span class="emphasis"><em>false</em></span>
	      </p>
	    </dd>
<dt><span class="term">expr1 -o expr2</span></dt>
<dd>
	      <p>
		Evaluates to <span class="emphasis"><em>true</em></span> if either or
		both <span class="emphasis"><em>expr1</em></span> and
		<span class="emphasis"><em>expr2</em></span> are true.
	      </p>

	      <p>
		<span class="command"><strong>find</strong></span> will use short-circuiting when
		this operator is evaluated: <span class="emphasis"><em>expr2</em></span>
		will not be evaluated when <span class="emphasis"><em>expr1</em></span>
		evaluates to <span class="emphasis"><em>true</em></span>
	      </p>
	    </dd>
<dt><span class="term">! expr</span></dt>
<dd>
	      <p>
		Negates <span class="emphasis"><em>expr</em></span>. So, if
		<span class="emphasis"><em>expr</em></span> evaluates to true, this
		expression will evaluate to <span class="emphasis"><em>false</em></span>
		and vise versa.
	      </p>
	    </dd>
</dl>
</div>

	<p>
	  Since both the parentheses and exclamation mark characters
	  are interpreted by most shells, they should usually be
	  escaped.
	</p>

	<p>
	  The following example shows some operators in action. This
	  command executes <span class="command"><strong>chmod</strong></span> for all files that
	  either have their permissions set to
	  <span class="emphasis"><em>0666</em></span> or <span class="emphasis"><em>0664</em></span>.
	</p>

	<pre class="screen">
$ <strong class="userinput"><code>find . \( -perm 0666 -o -perm 0664 \) -exec chmod 0644 {} \;</code></strong>
	</pre>
      </div>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-finding-which"></a>8.6.2. which</h3></div></div></div>
      

      <p>
	The <span class="command"><strong>which</strong></span> command is not part of the Single
	UNIX Specification version 3, but it is provided by most
	sysmtems. <span class="command"><strong>which</strong></span> locates a command that is
	in the user's path (as set by the PATH environment variable),
	printing its full path. Providing the name of a command as its
	parameter will show the full path:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>which ls</code></strong>
/bin/ls
      </pre>

      <p>
	You can also query the paths of multiple commands:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>which ls cat</code></strong>
/bin/ls
/bin/cat
      </pre>

      <p>
        <span class="command"><strong>which</strong></span> returns a non-zero return value
	if the command could not be found.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-finding-whereis"></a>8.6.3. whereis</h3></div></div></div>
      

      <p>
	This <span class="command"><strong>whereis</strong></span> command searches binaries, manual pages and sources of a
	command in some predefined places. For instance, the following
	command shows the path of the <span class="command"><strong>ls</strong></span> and the
	<span class="citerefentry"><span class="refentrytitle">ls</span>(1)</span>
	manual page:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>whereis ls</code></strong>
ls: /bin/ls /usr/share/man/man1/ls.1.gz
      </pre>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="chap-filesystem-finding-locate"></a>8.6.4. locate</h3></div></div></div>
      

      <p>
        Slackware Linux also provides the
	<span class="command"><strong>locate</strong></span> command that searches through a file
	database that can be generated periodically with the
	<span class="command"><strong>updatedb</strong></span> command. Since it uses a prebuilt
	database of the filesystem, it is a lot faster than
	<span class="command"><strong>which</strong></span>, especially when directory entry
	information has not been cached yet. Though, the
	<span class="command"><strong>locate</strong></span>/<span class="command"><strong>updatedb</strong></span> combo
	has some downsides:
      </p>

      <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
	  <p>
	    New files are not part of the database until the next
	    <span class="command"><strong>updatedb</strong></span> invocation.
	  </p>
	</li>
<li class="listitem">
	  <p>
	    <span class="command"><strong>locate</strong></span> has no conception of
	    permissions, so users may locate files that are normally
	    hidden to them.
	  </p>
	</li>
<li class="listitem">
	  <p>
	    A newer implementation, named <span class="emphasis"><em>slocate</em></span>
	    deals with permissions, but requires elevated privileges.
	    This is the <span class="command"><strong>locate</strong></span> variation that is
	    included with Slackware Linux.
	  </p>
	</li>
</ul></div>

      <p>
	With filesystems becoming faster, and by applying common sense
	when formulating <span class="command"><strong>find</strong></span> queries,
	<span class="command"><strong>locate</strong></span> does not really seem worth the
	hassle. Of course, your mileage may vary. That said, the basic
	usage of <span class="command"><strong>locate</strong></span> is <span class="emphasis"><em>locate
	filename</em></span>. For example:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>locate locate</code></strong>
/usr/bin/locate
/usr/lib/locate
/usr/lib/locate/bigram
/usr/lib/locate/code
/usr/lib/locate/frcode
[...]
      </pre>

    </div>
  </div>

  <div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="basics-filesystem-archives"></a>8.7. Archives</h2></div></div></div>
    

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="basics-filesystem-archives-introduction"></a>8.7.1. Introduction</h3></div></div></div>
      

      <p>
	Sooner or later a GNU/Linux user will encounter
	<acronym class="acronym">tar</acronym> archives, tar is the standard format
	for archiving files on GNU/Linux.  It is often used in
	conjunction with <span class="command"><strong>gzip</strong></span> or
	<span class="command"><strong>bzip2</strong></span>. Both commands can compress files and
	archives.  <a class="xref" href="chap-filesystem.html#archive-extentions" title="Table 8.6. Archive file extensions">Table 8.6, “Archive file extensions”</a> lists
	frequently used archive extensions, and what they mean.
      </p>

      <div class="table">
<a name="archive-extentions"></a><p class="title"><b>Table 8.6. Archive file extensions</b></p>
<div class="table-contents">
	
	<table summary="Archive file extensions" border="1">
<colgroup>
<col>
<col>
</colgroup>
<thead><tr>
<th align="left">Extension</th>
<th align="left">Meaning</th>
</tr></thead>
<tbody>
<tr>
<td align="left">.tar</td>
<td align="left">An uncompressed tar archive</td>
</tr>
<tr>
<td align="left">.tar.gz</td>
<td align="left">A tar archive compressed with gzip</td>
</tr>
<tr>
<td align="left">.tgz</td>
<td align="left">A tar archive compressed with gzip</td>
</tr>
<tr>
<td align="left">.tar.bz2</td>
<td align="left">A tar archive compressed with bzip2</td>
</tr>
<tr>
<td align="left">.tbz</td>
<td align="left">A tar archive compressed with bzip2</td>
</tr>
</tbody>
</table>
      </div>
</div>
<br class="table-break">

      <p>
	The difference between <span class="command"><strong>bzip2</strong></span> and
	<span class="command"><strong>gzip</strong></span> is that <span class="command"><strong>bzip2</strong></span> can
	find repeating information in larger blocks, resulting in
	better compression. But <span class="command"><strong>bzip2</strong></span> is also a lot
	slower, because it does more data analysis.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="basics-filesystem-archives-extracting"></a>8.7.2. Extracting archives</h3></div></div></div>
      

      <p>
	Since many software and data in the GNU/Linux world is
	archived with <span class="command"><strong>tar</strong></span> it is important to get
	used to extracting tar archives. The first thing you will
	often want to do when you receive a tar archive is to list its
	contents. This can be achieved by using the <em class="parameter"><code>t</code></em> parameter. However, if we just
	execute <span class="command"><strong>tar</strong></span> with this parameter and the
	name of the archive it will just sit and wait until you enter
	something to the standard input:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>tar t test.tar</code></strong>
      </pre>

      <p>
	This happens because <span class="command"><strong>tar</strong></span> reads data from
	its standard input. If you forgot how redirection works, it is
	a good idea to reread <a class="xref" href="chap-shell.html#chap-shell-inout" title="7.7. Redireccions i canonades">Section 7.7, “Redireccions i canonades ”</a>. Let's
	see what happens if we redirect our tar archive to tar:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>tar t &lt; test.tar</code></strong>
test/
test/test2
test/test1
      </pre>

      <p>
	That looks more like the output you probably expected. This
	archive seems to contain a directory
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">test</code></html:span>, which contains the files
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">test2</code></html:span> and <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">test1</code></html:span>.  It
	is also possible to specify the archive file name as an
	parameter to <span class="command"><strong>tar</strong></span>, by using the <em class="parameter"><code>f</code></em> parameter:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>tar tf test.tar</code></strong>
test/
test/test2
test/test1
      </pre>

      <p>
	This looks like an archive that contains useful files ;). We
	can now go ahead, and extract this archive by using the
	<em class="parameter"><code>x</code></em> parameter:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>tar xf test.tar</code></strong>
      </pre>

      <p>
	We can now verify that tar really extracted the archive by
	listing the contents of the directory with
	<span class="command"><strong>ls</strong></span>:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>ls test/</code></strong>
test1  test2
      </pre>

      <p>
	Extracting or listing files from a gzipped or bzipped archive
	is not much more difficult. This can be done by adding a
	<em class="parameter"><code>z</code></em> or <em class="parameter"><code>j</code></em> for respectively archives
	compressed with <span class="command"><strong>gzip</strong></span> or
	<span class="command"><strong>bzip2</strong></span>.  For example, we can list the
	contents of a gzipped archive with:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>tar ztf archive2.tar.gz</code></strong>
      </pre>

      <p>
	And a bzipped archive can be extracted with:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>tar jxf archive3.tar.bz2</code></strong>
      </pre>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="basics-filesystem-archives-creating"></a>8.7.3. Creating archives</h3></div></div></div>
      

      <p>
	You can create archives with the <em class="parameter"><code>c</code></em> parameter. Suppose that we have
	the directory <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">test</code></html:span> shown in the previous
	example. We can make an archive with the
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">test</code></html:span> directory and the files in this
	directory with:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>tar cf important-files.tar test</code></strong>
      </pre>

      <p>
	This will create the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">important-files.tar</code></html:span>
	archive (which is specified with the <em class="parameter"><code>f</code></em> parameter). We can now verify
	the archive:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>tar tf important-files.tar</code></strong>
test/
test/test2
test/test1
      </pre>

      <p>
	Creating a gzipped or bzipped archive goes along the same
	lines as extracting compressed archives: add a <em class="parameter"><code>z</code></em> for gzipping an archive, or
	<em class="parameter"><code>b</code></em> for bzipping an
	archive. Suppose that we wanted to create a
	<span class="command"><strong>gzip</strong></span> compressed version of the archive
	created above. We can do this with:
      </p>

      <pre class="screen">
<strong class="userinput"><code>tar zcf important-files.tar.gz test</code></strong>
      </pre>
    </div>
  </div>

  <div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="basics-filesystem-mounting"></a>8.8. Mounting filesystems</h2></div></div></div>
    

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="basics-filesystem-mounting-introduction"></a>8.8.1. Introduction</h3></div></div></div>
      

      <p>
	Like most Unices Linux uses a technique named
	<span class="quote">“<span class="quote">mounting</span>”</span> to access filesystems. Mounting means
	that a filesystem is connected to a directory in the root
	filesystem. One could for example mount a CD-ROM drive to the
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/mnt/cdrom</code></html:span> directory. Linux supports many
	kinds of filesystems, like Ext2, Ext3, ReiserFS, JFS, XFS,
	ISO9660 (used for CD-ROMs), UDF (used on some DVDs) and
	DOS/Windows filesystems, like FAT, FAT32 and NTFS. These
	filesystems can reside on many kinds of media, for example
	hard drives, CD-ROMs and Flash drives. This section explains
	how filesystems can be mounted and unmounted.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="basics-filesystem-mounting-mount"></a>8.8.2. mount</h3></div></div></div>
      

      <p>
	The <span class="command"><strong>mount</strong></span> is used to mount filesystems. The
	basic syntax is: <span class="quote">“<span class="quote">mount /dev/devname
	/mountpoint</span>”</span>. The device name can be any block device,
	like hard disks or CD-ROM drives. The mount point can be an
	arbitrary point in the root filesystem. Let's look at an
	example:
      </p>

      <pre class="screen">
# <strong class="userinput"><code>mount /dev/cdrom /mnt/cdrom</code></strong>
      </pre>

      <p>
	This mounts the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/dev/cdrom</code></html:span> on the
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/mnt/cdrom</code></html:span> mountpoint. The
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/dev/cdrom</code></html:span> device name is normally a link
	to the real CD-ROM device name (for example,
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/dev/hdc</code></html:span>). As you can see, the concept is
	actually very simple, it just takes some time to learn the
	device names ;). Sometimes it is necessary to specify which
	kind of filesystem you are trying to mount.  The filesystem
	type can be specified by adding the <em class="parameter"><code>-t</code></em> parameter:
      </p>

      <pre class="screen">
# <strong class="userinput"><code>mount -t vfat /dev/sda1 /mnt/flash</code></strong>
      </pre>

      <p>
	This mounts the vfat filesystem on
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/dev/sda1</code></html:span> to
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/mnt/flash</code></html:span>.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="basics-filesystem-mounting-umount"></a>8.8.3. umount</h3></div></div></div>
      

      <p>
	The <span class="command"><strong>umount</strong></span> command is used to unmount
	filesystems.  <span class="command"><strong>umount</strong></span> accepts two kinds of
	parameters, mount points or devices. For example:
      </p>

      <pre class="screen">
# <strong class="userinput"><code>umount /mnt/cdrom</code></strong>
# <strong class="userinput"><code>umount /dev/sda1</code></strong>
      </pre>

      <p>
	The first command unmounts the filesystem that was mounted on
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/mnt/cdrom</code></html:span>, the second commands unmounts
	the filesystem on <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/dev/sda1</code></html:span>.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="basics-filesystem-mounting-fstab"></a>8.8.4. The fstab file</h3></div></div></div>
      

      <p>
	The GNU/Linux system has a special file,
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/etc/fstab</code></html:span>, that specifies which
	filesystems should be mounted during the system boot.  Let's
	look at an example:
      </p>

      <pre class="screen">
/dev/hda10       swap             swap        defaults         0   0
/dev/hda5        /                xfs         defaults         1   1
/dev/hda6        /var             xfs         defaults         1   2
/dev/hda7        /tmp             xfs         defaults         1   2
/dev/hda8        /home            xfs         defaults         1   2
/dev/hda9        /usr             xfs         defaults         1   2
/dev/cdrom       /mnt/cdrom       iso9660     noauto,owner,ro  0   0
/dev/fd0         /mnt/floppy      auto        noauto,owner     0   0
devpts           /dev/pts         devpts      gid=5,mode=620   0   0
proc             /proc            proc        defaults         0   0
      </pre>

      <p>
	As you can see each entry in the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">fstab</code></html:span>
	file has five entries: fs_spec, fs_file, fs_vfstype,
	fs_mntops, fs_freq, and fs_passno.  We are now going to look
	at each entry.
      </p>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="idm962484252"></a>8.8.4.1. fs_spec</h4></div></div></div>
	

	<p>
	  The fs_spec option specifies the block device, or remote
	  filesystem that should be mounted. As you can see in the
	  example several /dev/hda partitions are specified, as well
	  as the CD-ROM drive and floppy drive. When NFS volumes are
	  mounted an IP address and directory can be specified, for
	  example: <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">192.168.1.10:/exports/data</code></html:span>.
	</p>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="idm962483076"></a>8.8.4.2. fs_file</h4></div></div></div>
	

	<p>
	  fs_file specifies the mount point. This can be an arbitrary
	  directory in the filesystem.
	</p>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="idm962482276"></a>8.8.4.3. fs_vfstype</h4></div></div></div>
	

	<p>
	  This option specifies what kind of filesystem the entry
	  represents. For example this can be: ext2, ext3, reiserfs,
	  xfs, nfs, vfat, or ntfs.
	</p>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="idm962481540"></a>8.8.4.4. fs_mntops</h4></div></div></div>
	

	<p>
	  The fs_mntops option specifies which parameters should be
	  used for mounting the filesystem. The
	  <span class="command"><strong>mount</strong></span> manual page has an extensive
	  description of the available options. These are the most
	  interesting options:
	</p>

	<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
	    <p>
	      <span class="emphasis"><em>noauto</em></span>: filesystems that are listed
	      in <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">/etc/fstab</code></html:span> are normally mounted
	      automatically. When the <span class="quote">“<span class="quote">noauto</span>”</span> option is
	      specified, the filesystem will not be mounted during the
	      system boot, but only after issuing a
	      <span class="command"><strong>mount</strong></span> command. When mounting such
	      filesystem, only the mount point or device name has to
	      be specified, for example: <span class="command"><strong>mount
	      /mnt/cdrom</strong></span>
	    </p>
	  </li>
<li class="listitem">
	    <p>
	      <span class="emphasis"><em>user</em></span>: adding the
	      <span class="quote">“<span class="quote">user</span>”</span> option will allow normal users to
	      mount the filesystem (normally only the superuser is
	      allowed to mount filesystems).
	    </p>
	  </li>
<li class="listitem">
	    <p>
	      <span class="emphasis"><em>owner</em></span>: the <span class="quote">“<span class="quote">owner</span>”</span>
	      option will allow the owner of the specified device to
	      mount the specified device. You can see the owner of a
	      device using <span class="command"><strong>ls</strong></span>, e.g.  <span class="command"><strong>ls -l
	      /dev/cdrom</strong></span>.
	    </p>
	  </li>
<li class="listitem">
	    <p>
	      <span class="emphasis"><em>noexec</em></span>: with this option enabled
	      users can not run files from the mounted
	      filesystem. This can be used to provide more security.
	    </p>
	  </li>
<li class="listitem">
	    <p>
	      <span class="emphasis"><em>nosuid</em></span>: this option is comparable
	      to the <span class="quote">“<span class="quote">noexec</span>”</span> option. With
	      <span class="quote">“<span class="quote">nosuid</span>”</span> enabled SUID bits on files on the
	      filesystem will not be allowed. SUID is used for certain
	      binaries to provide a normal user to do something
	      privileged.  This is certainly a security threat, so
	      this option should really be used for removable media,
	      etc. A normal user mount will force the nosuid option,
	      but a mount by the superuser will not!
	    </p>
	  </li>
<li class="listitem">
	    <p>
	      <span class="emphasis"><em>unhide</em></span>: this option is only
	      relevant for normal CD-ROMs with the ISO9660
	      filesystem. If <span class="quote">“<span class="quote">unhide</span>”</span> is specified hidden
	      files will also be visible.
	    </p>
	  </li>
</ul></div>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="idm962472268"></a>8.8.4.5. fs_freq</h4></div></div></div>
	

	<p>
	  If the <span class="quote">“<span class="quote">fs_freq</span>”</span> is set to 1 or higher, it
	  specifies after how many days a filesystem dump (backup) has
	  to be made. This option is only used when <a class="ulink" href="http://dump.sourceforge.net/" target="_top">dump</a> is
	  installed, and set up correctly to handle this.
	</p>
      </div>

      <div class="sect3">
<div class="titlepage"><div><div><h4 class="title">
<a name="idm962471308"></a>8.8.4.6. fs_passno</h4></div></div></div>
	

	<p>
	  This field is used by <span class="command"><strong>fsck</strong></span> to determine
	  the order in which filesystems are checked during the system
	  boot.
	</p>
      </div>
    </div>

  </div>

  <div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="basics-filesystem-gnupg"></a>8.9. Encrypting and signing files</h2></div></div></div>
    

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="idm962469364"></a>8.9.1. Introduction</h3></div></div></div>
      

      <p>
	There are two security mechanisms for securing files: signing
	files and encrypting files. Signing a file means that a
	special digital signature is generated for a file. You, or
	other persons can use the signature to verify the integrity of
	the file. File encryption encodes a file in a way that only a
	person for which the file was intended to read can read the
	file.
      </p>

      <p>
	This system relies on two keys: the private and the public
	key. Public keys are used to encrypt files, and files can only
	be decrypted with the private key. This means that one can
	sent his public key out to other persons. Others can use this
	key to send encrypted files, that only the person with the
	private key can decode. Of course, this means that the
	security of this system depends on how well the private is
	kept secret.
      </p>

      <p>
	Slackware Linux provides an excellent tool for signing and
	encrypting files, named GnuPG. GnuPG can be installed from the
	<span class="quote">“<span class="quote">n</span>”</span> disk set.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="idm962467060"></a>8.9.2. Generating your private and public keys</h3></div></div></div>
      

      <p>
	Generating public and private keys is a bit complicated,
	because GnuPG uses DSA keys by default. DSA is an encryption
	algorithm, the problem is that the maximum key length of DSA
	is 1024 bits, this is considered too short for the longer
	term. That is why it is a good idea to use 2048 bit RSA
	keys. This section describers how this can be done.
      </p>

      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="../images/note.png"></td>
<th align="left">Note</th>
</tr>
<tr><td align="left" valign="top">
	<p>
	  1024-bit keys were believed to be secure for a long
	  time. But Bernstein's paper <span class="emphasis"><em>Circuits for Integer
	  Factorization: a Proposal</em></span> contests this, the
	  bottom line is that it is quite feasible for national
	  security agencies to produce hardware that can break keys in
	  a relatively short amount of time.  Besides that it has be
	  shown that 512-bit RSA keys can be broken in a relatively
	  short time using common hardware. More information about
	  these issues can by found in this e-mail to the cypherpunks
	  list:
	<a class="ulink" href="http://tin.le.org/vault/security/encryption/rsa1024.html" target="_top">http://tin.le.org/vault/security/encryption/rsa1024.html</a>
	</p>
      </td></tr>
</table></div>

      <p>
	We can generate a key by executing:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>gpg --gen-key</code></strong>
      </pre>

      <p>
	The first question is what kind of key you would like to
	make. We will choose <span class="emphasis"><em>(4) RSA (sign only)</em></span>:
      </p>

      <pre class="screen">
Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) RSA (sign only)
Your selection? <strong class="userinput"><code>4</code></strong>
      </pre>

      <p>
	You will then be asked what the size of the key you want to
	generate has to be. Type in <span class="emphasis"><em>2048</em></span> to
	generate a 2048 bit key, and press enter to continue.
      </p>

      <pre class="screen">
What keysize do you want? (1024) <strong class="userinput"><code>2048</code></strong>
      </pre>

      <p>
	The next question is simple to answer, just choose what you
	like. Generally speaking it is not a bad idea to let the key
	be valid infinitely. You can always deactivate the key with a
	special revocation certificate.
      </p>

      <pre class="screen">
Please specify how long the key should be valid.
         0 = key does not expire
      &lt;n&gt;  = key expires in n days
      &lt;n&gt;w = key expires in n weeks
      &lt;n&gt;m = key expires in n months
      &lt;n&gt;y = key expires in n years
Key is valid for? (0) <strong class="userinput"><code>0</code></strong>
      </pre>

      <p>
	GnuPG will then ask for confirmation. After confirming your
	name and e-mail address will be requested. GnuPG will also ask
	for a comment, you can leave this blank, or you could fill in
	something like <span class="quote">“<span class="quote">Work</span>”</span> or <span class="quote">“<span class="quote">Private</span>”</span>,
	to indicate what the key is used for. For example:
      </p>

      <pre class="screen">
Real name: <strong class="userinput"><code>John Doe</code></strong>
Email address: <strong class="userinput"><code>john@doe.com</code></strong>
Comment: <strong class="userinput"><code>Work</code></strong>              
You selected this USER-ID:
    "John Doe (Work) &lt;john@doe.com&gt;"
      </pre>

      <p>
	GnuPG will the ask you to confirm your user ID. After
	confirming it GnuPG will ask you to enter a password. Be sure
	to use a good password:
      </p>

      <pre class="screen">
You need a Passphrase to protect your secret key.    

Enter passphrase:
      </pre>

      <p>
	After entering the password twice GnuPG will generate the
	keys. But we are not done yet. GnuPG has only generated a key
	for signing information, not for encryption of information. To
	continue, have a look at the output, and look for the key
	ID. In the information about the key you will see
	<span class="emphasis"><em>pub 2048R/</em></span>. The key ID is printed after
	this fragment.  In this example:
      </p>

      <pre class="screen">
public and secret key created and signed.
key marked as ultimately trusted.

pub  2048R/8D080768 2004-07-16 John Doe (Work) &lt;john@doe.com&gt;
     Key fingerprint = 625A 269A 16B9 C652 B953  8B64 389A E0C9 8D08 0768
      </pre>

      <p>
	the key ID is <span class="emphasis"><em>8D080768</em></span>. If you lost the
	output of the key generation you can still find the key ID in
	the output of the <span class="command"><strong>gpg --list-keys</strong></span>
	command. Use the key ID to tell GnuPG that you want to edit
	your key:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>gpg --edit-key &lt;Key ID&gt;</code></strong>
      </pre>

      <p>
	With the example key above the command would be:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>gpg --edit-key 8D080768</code></strong>
      </pre>

      <p>
	GnuPG will now display a command prompt. Execute the
	<span class="command"><strong>addkey</strong></span> command on this command prompt:
      </p>

      <pre class="screen">
Command&gt; <strong class="userinput"><code>addkey</code></strong>
      </pre>

      <p>
	GnuPG will now ask the password you used for your key:
      </p>

      <pre class="screen">
Key is protected.

You need a passphrase to unlock the secret key for
user: "John Doe (Work) &lt;john@doe.com&gt;"
2048-bit RSA key, ID 8D080768, created 2004-07-16

Enter passphrase:
      </pre>

      <p>
	After entering the password GnuPG will ask you what kind of
	key you would like to create. Choose <span class="emphasis"><em>RSA (encrypt
	only)</em></span>, and fill in the information like you did
	earlier (be sure to use a 2048 bit key).  For example:
      </p>

      <pre class="screen">
Please select what kind of key you want:
   (2) DSA (sign only)
   (3) ElGamal (encrypt only)
   (4) RSA (sign only)
   (5) RSA (encrypt only)
Your selection? <strong class="userinput"><code>5</code></strong>
What keysize do you want? (1024) <strong class="userinput"><code>2048</code></strong>
Requested keysize is 2048 bits       
Please specify how long the key should be valid.
         0 = key does not expire
      &lt;n&gt;  = key expires in n days
      &lt;n&gt;w = key expires in n weeks
      &lt;n&gt;m = key expires in n months
      &lt;n&gt;y = key expires in n years
Key is valid for? (0) <strong class="userinput"><code>0</code></strong>
      </pre>

      <p>
	And confirm that the information is correct. After the key is
	generated you can leave the GnuPG command prompt, and save the
	new key with the <span class="command"><strong>save</strong></span> command:
      </p>

      <pre class="screen">
Command&gt; <strong class="userinput"><code>save</code></strong>
      </pre>

      <p>
	Congratulations! You have now generated the necessary keys to
	encrypt and decrypt e-mails and files. You can now configure
	your e-mail client to use GnuPG. It is a good idea to store
	the contents of the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">.gnupg</code></html:span> directory on
	some reliable medium, and store that in a safe place! If your
	private key is lost you can't decrypt files and messages that
	were encrypted with your public key. If the private key, and
	your password are stolen, the security of this system is
	completely compromised.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="idm962448948"></a>8.9.3. Exporting your public key</h3></div></div></div>
      

      <p>
	To make GnuPG useful, you have to give your public key to
	people who send you files or e-mails. They can use your public
	key to encrypt files, or use it to verify whether a file has a
	correct signature or not. The key can be exported using the
	<em class="parameter"><code>--export</code></em> parameter. It
	is also a good idea to specify the <em class="parameter"><code>--output</code></em> parameter, this will save
	the key in a file. The following command would save the public
	key of <span class="emphasis"><em>John Doe</em></span>, used in earlier
	examples, to the file <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">key.gpg</code></html:span>:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>gpg --output key.gpg --export john@doe.com</code></strong>
      </pre>

      <p>
	This saves the key in binary format. Often it is more
	convenient to use the so-called <span class="quote">“<span class="quote">ASCII armored
	output</span>”</span>, which fits better for adding the key to
	e-mails, or websites. You export an ASCII armored version of
	the key by adding the <em class="parameter"><code>--armor</code></em> parameter:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>gpg --armor --output key.gpg --export john@doe.com</code></strong>
      </pre>

      <p>
	If you look at the <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">key.gpg</code></html:span> file you will
	notice that the ASCII armored key is a much more comfortable
	format.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="idm962444740"></a>8.9.4. Signatures</h3></div></div></div>
      

      <p>
	With GPG you can make a signature for a file. This signature
	is unique, because your signature can only be made with your
	private key. This means that other people can check whether
	the file was really sent by you, and whether it was in any way
	altered or not. Files can be signed with the <em class="parameter"><code>--detach-sign</code></em> parameter. Let us
	look at an example. This command will make a signature for the
	<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">memo.txt</code></html:span> file. The signature will be
	stored in <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">memo.txt.sig</code></html:span>.
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>gpg --output memo.txt.sig --detach-sign memo.txt</code></strong>

You need a passphrase to unlock the secret key for
user: "John Doe (Work) &lt;john@doe.com&gt;"
2048-bit RSA key, ID 8D080768, created 2004-07-16

Enter passphrase:
      </pre>

      <p>
	As you can see, GnuPG will ask you to enter the password for
	your private key. After you have entered the right password the
	signature file (<html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">memo.txt.sig</code></html:span>) will be
	created.
      </p>

      <p>
	You can verify a file with its signature using the <em class="parameter"><code>--verify</code></em> parameter. Specify the
	signature file as a parameter to the <em class="parameter"><code>--verify</code></em> parameter. The file that
	needs to be verified can be specified as the final parameter:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>gpg --verify memo.txt.sig memo.txt</code></strong>
gpg: Signature made Tue Jul 20 23:47:45 2004 CEST using RSA key ID 8D080768
gpg: Good signature from "John Doe (Work) &lt;john@doe.com&gt;"
      </pre>

      <p>
	This will confirm that the file was indeed signed by
	<span class="emphasis"><em>John Doe (Work) &lt;john@doe.com&gt;</em></span>,
	with the key <span class="emphasis"><em>8D080768</em></span>, and that the file
	is unchanged. Suppose the file was changed, GnuPG would have
	complained about it loudly:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>gpg --verify memo.txt.sig memo.txt</code></strong>
gpg: Signature made Tue Jul 20 23:47:45 2004 CEST using RSA key ID 8D080768
gpg: BAD signature from "John Doe (Work) &lt;john@doe.com&gt;"
      </pre>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="idm962437788"></a>8.9.5. Encryption</h3></div></div></div>
      

      <p>
	One of the main features of GnuPG is encryption. Due to its
	use of asymmetric cryptography, the person who encrypts a file
	and the person who decrypts a file do not need to share a
	key. You can encrypt a file with the public key of another
	person, and that other person can decrypt it with his or her
	private key. You can encrypt files with the <em class="parameter"><code>--encrypt</code></em>. If you do not specify a
	user ID for which the file should be encrypted, GnuPG will
	prompt for the user ID. You can specify the user ID with the
	<em class="parameter"><code>-r</code></em> parameter. In the
	following example, the file <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">secret.txt</code></html:span>
	will be encrypted for another person named <span class="emphasis"><em>John
	Doe</em></span>:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>gpg --encrypt -r "John Doe" secret.txt</code></strong>
      </pre>

      <p>
	The user ID is quoted with double quotes for making sure that
	the ID is interpreted as a single program argument. After the
	encryption is completed, the encrypted version of the file
	will be available as <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">secret.txt.gpg</code></html:span>.
      </p>

      <p>
	The user who receives the file can decrypt it with the
	<em class="parameter"><code>--decrypt</code></em> parameter of
	the <span class="command"><strong>gpg</strong></span> command:
      </p>

      <pre class="screen">
$ <strong class="userinput"><code>gpg --output secret.txt --decrypt secret.txt.gpg</code></strong>

You need a passphrase to unlock the secret key for
user: "John Doe (Work) &lt;john@doe.com&gt;"
2048-bit RSA key, ID 8D080768, created 2004-07-16 (main key ID EC3ED1AB)

Enter passphrase:

gpg: encrypted with 2048-bit RSA key, ID 8D080768, created 2004-07-16
      "John Doe (Work) &lt;john@doe.com&gt;"
      </pre>

      <p>
	In this example the <em class="parameter"><code>--output</code></em> parameter is used store
	the decrypted content in <html:span xmlns:html="http://www.w3.org/1999/xhtml" class="filename"><code class="filename">secret.txt</code></html:span>.
      </p>
    </div>
  </div>
<div class="footnotes">
<br><hr style="width:100; text-align:left;margin-left: 0">
<div id="ftn.idm962816236" class="footnote">
	<p><a href="#idm962816236" class="para"><sup class="para">[4] </sup></a>At the time of writing, ACLs were supported on ext2,
        ext3, and XFS filesystems</p> </div>
<div id="ftn.idm962784100" class="footnote">
          <p><a href="#idm962784100" class="para"><sup class="para">[5] </sup></a>Yeah, you can be creative with magic numbers
          too!</p> </div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="chap-shell.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="basics.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="chap-textproc.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">Chapter 7. El shell </td>
<td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td>
<td width="40%" align="right" valign="top"> Chapter 9. Text processing</td>
</tr>
</table>
</div>
</body>
</html>
